Software Assurance
   HOME

TheInfoList



Click Here for Items Related To - Software Assurance
OR:
Software Assurance on:   [Wikipedia]   [Google]   [Amazon]

Software assurance (SwA) is defined as "the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner." The main objective of software assurance is to ensure that the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards specified to govern those processes, procedures, and products.Karen Mercedes, Theodore Winogra
"Enhancing The Development Life Cycle To Produce Secure Software"
, ''Data & Analysis Center for Software'', October 2008 A secondary objective of software assurance is to ensure that the software-intensive systems we produce are more secure. For such software-intensive systems, a preventive dynamic and static analysis of the potential vulnerabilities is required, and holistic, system-level understanding is recommended. As stated by Gary McGraw, "Design flaws account for 50% of security problems. One can't find design defects by staring at code. A higher-level understanding is required. That's why architectural risk analysis plays an essential role in any solid software security program."


Alternate definitions


United States Department of Homeland Security (DHS)

According to the
DHS The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-ter ...
, software assurance addresses: * Trustworthiness - no exploitable vulnerabilities exist, either maliciously or unintentionally inserted; * Predictable Execution - justifiable confidence that software, when executed, functions as intended; * Conformance - planned and systematic set of multi-disciplinary activities that ensure software processes and products conform to requirements, standards/ procedures. Contributing SwA disciplines, articulated in bodies of knowledge and core competencies: software engineering, systems engineering, information systems security engineering, information assurance, test and evaluation, safety, security, project management, and software acquisition. Software assurance is a strategic initiative of the US Department of Homeland Security (DHS) to promote integrity, security, and reliability in software. The SwA Program is based upon the National Strategy to Secure Cyberspace - Action/Recommendation 2-14: “DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.” There are open-source software tools for software assurance that help identify potential security vulnerabilities.


United States Department of Defense (DoD)

For the DoD, SwA is defined as "the level of confidence that software functions only as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle. DoD is developing SwA as a sound systems engineering practice as demonstrated by two recent publications funded by JFAC with development led by the Software Engineering Institute (SEI) and expert practitioners within the Military Services and NSA. The Program Manager's SwA Guidebook shows how SwA should be planned, resourced, and managed while the Developer's SwA Guidebook recommends tailorable technical practices throughout the life cycle. Both of these documents are the first of their kind, and awarded. The two enterprise-scale organizations in DoD building SwA capability are the Joint Federated Assurance Center (JFAC) and the DoD SwA Community of practice which has operated as a quarterly collegial forum 32 consecutive gatherings. Both are open to other parts of the US Government. The JFAC Charter is available at its website. To develop wider situational awareness of the families of SwA tools commercially available, JFAC funded the Institute for Defense Analysis (IDA) to produce the State of the Art Resource (SOAR). A recent innovation in "engineering-in" SwA throughout the life cycle is coupling selected NIST 800-53 controls to engineering tasks so that the engineering results define the Risk Management Framework (RMF) and drive the Authority to Operate (ATO). A package including Data Item Descriptions (DIDs), machine-readable vulnerability report formats, and a brief overviewing application of the techniques is available at the JFAC website. Other disruptive innovations are in process.


Software Assurance Metrics and Tool Evaluation (SAMATE) project

According to the
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
SAMATE project, software assurance is "the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures to help achieve: * Trustworthiness - No exploitable vulnerabilities exist, either of malicious or unintentional origin, and * Predictable Execution - Justifiable confidence that software, when executed, functions as intended."


National Aeronautics and Space Administration (NASA)

According to
NASA The National Aeronautics and Space Administration (NASA ) is an independent agency of the US federal government responsible for the civil space program, aeronautics research, and space research. NASA was established in 1958, succeedin ...
, software assurance is a "planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures. It includes the disciplines of quality assurance, quality engineering, verification and validation, nonconformance reporting and corrective action, safety assurance, and security assurance and their application during a software life cycle." The NASA Software Assurance Standard also states: "The application of these disciplines during a software development life cycle is called software assurance."


Object Management Group (OMG)

According to the OMG, software assurance is “justifiable trustworthiness in meeting established business and security objectives.” OMG's SwA Special Interest Group (SIG), works with Platform and Domain Task Forces and other software industry entities and groups external to the OMG, to coordinate the establishment of a common framework for analysis and exchange of information related to software trustworthiness by facilitating the development of a specification for a Software Assurance Framework that will: * Establish a common framework of software properties that can be used to represent any/all classes of software so software suppliers and acquirers can represent their claims and arguments(respectively), along with the corresponding evidence, employing automated tools (to address scale) * Verify that products have sufficiently satisfied these characteristics in advance of product acquisition, so that system engineers/integrators can use these products to build (compose) larger assured systems with them * Enable industry to improve visibility into the current status of software assurance during development of its software * Enable industry to develop automated tools that support the common framework.


Software Assurance Forum for Excellence in Code (SAFECode)

According to SAFECode, software assurance is “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.”


Initiatives

A US federally funded initiative was called Software Assurance, which was jointly funded by DHS, DOD and NIST, and ran the Build Security In (BSI) website.


Why does software assurance matter?

Many business activities and critical functions—from national defense to banking to healthcare to telecommunications to aviation to control of hazardous materials—depend on the correct, predictable operation of software. These activities could be seriously disrupted were the software-intensive systems that they rely on to fail.


See also

*
Software quality assurance Software quality assurance (SQA) is a means and practice of monitoring all software engineering processes, methods, and work products to ensure compliance against defined standards. It may include ensuring conformance to standards or models, suc ...


References

{{Reflist


External links


DHS "Build Security In" information resource



NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project

Object Management Group SwA SIG

Software Assurance Forum for Excellence in Code (SAFECode)


(see quality assurance in IEEE 610.12 IEEE Standard Glossary of Software Engineering Terminology).
Software Security Assurance State of the Art Report (SOAR)
Quality assurance Software quality