The housing allotment scheme of the Delhi Development Authority, has been under investigation for some time because of the possibility of the software having tampered with. Today’s news mentions the software having audited by Centre for Development of Advanced Computing and having gotten a clean chit.

Looking at C-DAC’s security research report card, does not exactly inspire confidence in its security hole research department. First of all, all its existing security efforts are focussed towards network security, rather than application security - which is what the DDA software seems to be all about.

Secondly, what were the security audit standards followed? The layman might see and have confidence in C-DAC, but there are rigorous security and audit standards, which are the norm in most countries of the world.

Take for example ITRM SEC502 standard of the U.S. -  this defines the flow of role and responsibility in a security audit. ITRM SEC512 defines the paperwork needed to audit the trail of whatever security measures and threat assessments have been made.

Companies like Coverity are commissioned (who have a proven track record in application security audit - and have done so for millions of lines of code for free as well) by governments to audit their software. Note that this is not the same as network security audit.

Moreover, a housing allotment software most probably works through a PRNG (Pseudo Random Number Generator) - which is strongly dependent on the Operating System (windows XP, Vista, etc.) and the underlying hardware. There are several ways in which a PRNG may be attacked - and all of them need not be in the software itself. It can be a different piece of software that affects the working of the computer’s PRNG.

Until the details of what was audited is not revealed - this charade is going to go on.