CSSLP Tutorial: Module 06,Part 02 – Verification, Validation, Certification and Accreditation




This last section for module 6 of our CSSLP Tutorial is about making sure we understand a few certain terms associated with the principles of product acceptance. This is especially as associated with product acceptance by the customer as they go through their secure software testing as well as the pre-release procedures.  The first two terms we are going to discuss are verification and validation. The last two terms we will discuss are certification and accreditation.  So, verification and validation deals with the more technical aspects.

The technical design of the problem is what verification is dealing with.  We want to know does the software meet the developer’s description and does it meet the requirements.  The functionality of it in that, does it do what it is supposed to do?  Most of what we’ve developed is for the purpose of solving problems.  So, one of the other questions we can ask is associated with whether or not the product solves the problem we have.  Sometimes, there can be variances between what the customer says they want and what they actually want. So, this is where having good requirements is essential to making sure to verify whether your product is satisfying the customer’s requirements or not.   Usually validation follows verification.  Every so often, however, you may have a product that has its verification but not get validated.  In an ideal world, the validation process would follow verification. 

Additional to the verification process, we also need to make sure that our security mechanisms are following the confidentiality, integrity, and availability of the CIA triad.  There are of course, other security elements we have to check for as well like authenticity, authorization, auditing, and others such as proper exception handling and configuration management.  This is part of what would be in place for handling validation.

After verification and validation, there is certification and accreditation. Certification is an evaluation of the security features of a product in a given environment.   We are looking to see if there enough protection for the particular environment.   So, an additional test or evaluation is to check for the protection even if the product is then presented in different environments.  Are the requirements satisfied through this series of evaluation criteria.  And if so, then the next step is to go through accreditation.  The accreditation process is where the management  approves and accepts the software or system that the developing team has created.

The process where management approves the software or system that has been formed is accreditation.  Once our product has gone through the whole process, then implementation is where it gets rolled out.  So, the product has been certified and then the management accepts the risks during the accreditation phase.  After that happens, then the product is in its post-acceptance stage.   This is where we sort of starting to back off from the project and if the customer wants any other changes, then we’ll have to start a whole other separate project.  The only other change is if somehow the product doesn’t meet the requirements. But, if the customer says that they assumed we were providing the training or manuals, but it wasn’t in the original requirements, then it would be a whole other separate project.  Pretty much during and then thereafter the post-acceptance phase, is where there are patches or updates according to warranty, but there are no other major changes occurring.

So, this last section of module six dealt with a few definitions of terms we needed to discuss.  The four main terms discussed in this last part of this section in order was: verification, validation, certification and accreditation