Software Management

Software Assurance

FavoriteLoadingAdd to favorites

 

Software Assurance (SwA) is the justified confidence that the software functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the lifecycle. The main objective of software assurance is to ensure that the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards specified to govern those processes, procedures, and products. A secondary objective of Software assurance is to insure that the software-intensive systems we produce are more secure.

See DoD Software Assurance Initiative

SwA measures of confidence are achieved by SwA activities. These are a planned, systematic set of multi-disciplinary activities which are used to achieve the acceptable measures of SwA and manage the risk of exploitable vulnerabilities. These activities, which should be tailored based on the criticality of the software Critical Program Information (CPI) and Critical Technology (CT) include: [1,2]

  • Ensuring SWA related system architecture, design, and development activities required of the developer are addressed in the acquisition documents (Statement of Work (SOW), specifications, test plans), including:
  • Evaluating software developer contractor team SWA risks.
    • Ensuring personnel security clearance.
    • Securing the development environment.
    • Evaluating the contractor team‘s software development out-sourcing policy.
    • Identifying system critical COTS software source code pedigree and risk.
    • Providing repeatable trusted development activities encompassing the complete lifecycle of the system.
    • Incorporating software vulnerability analysis tools and training.
    • Ensuring that code changes are assessed to determine the impact on the overall system security posture.
  • Ensuring the system has obtained Information Assurance (IA) approval, including:
    • Reviewing program security policy and Concept of Operations (CONOPS) for specific IA requirements.
    • Performing the IA threat and vulnerability assessment.
    • Identifying appropriate IA requirements and integrating them into the System Requirements Document (SRD).
    • Developing test procedures and test plans.
    • Performing the IA risk assessment and mitigation plan.
  • Identifying COTS software components and determining IA risks before and after integration, including:
    • Ensuring COTS software supplier assurance.
    • Ensuring IA or IA enabled Software Commercial off-the-Shelf (COTS) (security guards, operating system, firewalls) comply with National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, July 03.
    • Ensuring all embedded crypto-systems are National Security Agency/National Information Assurance Partnership (NSA/NIAP) validated.
  • Recommending a SWA risk mitigation approach and/or reaching

The reason software assurance matters is that so many business activities and critical functions—from national defense to banking to healthcare to telecommunications to aviation to control of hazardous materials—depend on the on the correct, predictable operation of software. It is safe to say that in today’s world, these and myriad other activities and functions would become hopelessly crippled if not completely impossible were the software-intensive systems that they rely on to fail. [2]

AcqLinks and References:

Become an AcqNotes Member to View Page Discussions