License 6: Code Auditor's Professional License

Traditional source and executable code that is not intended to be part of an InDoor facility still calls for something better than an audit that’s signed by the department of a corporation. Accountable, professionally licensed code auditors offer the assurance that if a vulnerability is discovered in a piece of signed code, the licensed code auditor who signed it will be subject to the same kind of sanctions that the architect, contractor or building inspector of a building with undocumented hidden passageways would suffer. Specifically it would probably mean the loss of the professional license and the associated livelihood and reputation.

The security of our bounded online spaces depends upon the integrity of the code that operates on every appliance that touches those spaces. That integrity can only be established through a process called “code audit,” which consists of the laborious review of every line of code in a piece of software by someone trusted to both understand how it works and report on any concerns about anomalies such as suspected back doors.

In the world of precompiled, packaged software, often the authors of one part of the source code are prohibited from seeing other parts of it in order to preserve secrets. This makes code audit difficult.

Code audit is currently an integral part of the deployment of applications in the financial and military communities, among others.

The use of code audit has been pioneered by the OpenBSD Project, the result being that OpenBSD is probably the most secure general purpose operating system in the world. OpenBSD’s code audit depends upon the collegial spirit that is the essence of web-of-trust systems. People trust each other because they have learned to trust each other in a tight-knit online community.

Collegial authority works well in such settings, but it breaks down when software from diverse sources is called upon to protect valuable assets in the wider world. For that reason, duly constituted public authority means that whether or not a code audit committee or peer group is involved, one professionally licensed individual takes responsibility for the audit results and must digitally sign the audit.