Specify Best Practices

On the General Criteria page

It says “Security: Tools should follow security best-practices wherever applicable.”

But what are the best practices? To me, best practice would be signing and sandboxing the app, generally using whatever security features the operating system offers. But for example FreeTube doesn’t sign their macOS version. The desktop Signal client isn’t sandboxed as well as probably most desktop software. I think maybe we should define what specific security practices we’re looking for here.

1 Like

In my mind, best practices are what evolves from a correct and competent corporation and AFAIK it doesnt really get published? Its more passed along and endorsed to newer team members?

CISA has some white papers that you can peruse. I would comment that some security experts find some of their recommendation to be not with the modern times (like biannual password rotation instead of 2FA).

I am thinking maybe IEEE should also have some of the documents that you want but it is behind a paywall.

There should be similar agencies in the EU I guess?