software assurance: an overview of current industry best practices

Randy BeaversCS 585 – Computer

Security February 19, 2009

Software underpins information infrastructure.

Organizations widely and increasingly use COTS software.

Cyber attacks are becoming more stealthy and sophisticated, creating a complex environment.

Software Assurance:An Overview of Current Industry Best Practices

Vendors have undertaken significant efforts to improve and protect software integrity.

Software Assurance critical to public safety and economic and national security.

Shows how SAFECode members approach software assurance, and how to use best practices for software development.


Software Assurance Forum for Excellence in Code. A non-profit organization exclusively dedicate to

increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.


EMC Corporation Juniper Networks, Inc. Microsoft Corporation SAP AG Symantec Corporation Website: www.safecode.org

Founded by:


The Challenge of Software Assurance and Security

Software Assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intended while mitigating the risks of vulnerabilities, malicious code or defects that could bring harm to the end user.


Vital to ensuring the security of critical information.

Information and communications technology vendors have responsibility to address assurance in every stage of application development.

Integrators, operators, and end users share responsibility for ensuring security of critical information systems.

Software Assurance:


Software assurance risks faced by users today can be categorized in three areas:

1. Accidental design or implementation errors.

2. The changing technological environment.

3. Malicious insiders.


Inadvertently create faulty software design or implementation highlights risk area for:

◦ Hackers◦ Viruses◦ Worms◦ Other malicious attacks


Developers address risks through:

oTraining.oUse of secure development practices and tools.

Rapid change and innovation are characteristics of the IT industry.

Criminals can and do innovate also. They have created a complex and lucrative criminal economy.

The process is one of on-going improvement as new threats are created, and new countermeasures developed and implemented.


Growing concern that global software development processes could be exploited by a rogue programmer or organized group of programmers.

There are proven best practices that companies use to manage their unique development infrastructure and business models.


Vendors have responsibility and business incentive to ensure product assurance and security.

Customers demand software be secure and reliable.

Vendors must protect brand names and company reputations.


Software development varies by vendor and unique products, organizational structure, and customer requirements.

No single method that yields software assurance and security.

Regardless, there is a core of best practices for software assurance and security.


Across SAFECode’s membership, security bestpractices and controls are well established:


Security Training Security DocumentationDefining Security Requirements

Security Readiness

Secure Design Security ResponseSecure Coding Integrity VerificationSecure Source Code Handling Security ResearchSecurity Testing Security Evangelism

INTEGRATORS. Work in partnership with vendors to mitigate

vulnerabilities. OPERATORS.

Must deploy standard layered defense security measures.

END USERS. Responsible software use a requirement for software

assurance and security.


www.safecode.org

software assurance: an overview of current industry best practices

Documents

software assurance critical

software integrity

cots software

software functions

securitysoftware assurance

product assurance

faulty software design

information infrastructure