For years, the software engineering community has used certification as a means of ensuring that large critical systems (usually government-related) are accurate, correct, and ready for operational use. Certification was used primarily to validate code that was developed locally. It was assumed that commercial off-the-shelf software was not a threat to the system. As applications grew in size and complexity, pressure increased to reduce their time to market, and as the number of individuals involved in commercial software development increased, the number of errors and incidents of malicious code also increased.