Third-party code attestation is a process in which a vendor's code is tested for resilience against one or more security standards by a third party. Such tests are performed by an independent resource, which is expected to be neutral about the results (in comparison to having the vendor perform these tests itself).
The practice of third-party code attestation is a portion of what is sometimes referred to as trustworthy computing.1
Third-Party Code Testing Policy
Cisco customers who wish to perform third-party attestation of Cisco code may do so under the following conditions:
Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. Should any issues be identified in the course of third-party attestation, the Cisco Security Vulnerability Policy applies and provides guidance on how to contact Cisco for issue resolution.
Cisco Secure Development Lifecycle
As an industry leader, Cisco is expected to deliver secure and resilient products that can withstand attack. Our customers not only look to us to ensure their networks are safe and secure, but they expect product security to be seamlessly integrated into all of our products. In order to achieve this, we've integrated security best practices into our product architecture, design, and development processes so that product security becomes part of our DNA and corporate culture. This process is referred to as the Cisco Secure Development Lifecycle (CSDL). Further information on the CSDL program can be found on Cisco.com.
1 The term trustworthy computing is used to assign several principles to a system. When used with initial capital letters, Trustworthy Computing refers to an initiative that is similar but unique to Microsoft Corporation. In addition, Cisco uses the term trustworthy systems to describe an infrastructure that enables public and private organizations around the world to deliver goods and services over computer networks with maximum possible confidence. For further information, refer to Key Considerations in Building and Operating Trustworthy Systems: The Role of the Trustworthy Vendor.
This document is part of Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.