Building Software Security Assurance into Systems: Recent Advances
31 May 2013 touch-ups
[Proposed timeline …
Intermediate-term (~end of 2013): Produce “bound” report, suitable for printing and posting online
Shorter-term: Generate “standalone” topical reports on specific areas such as metrics
Long-term: Maintain an updated linked site that serves as a “State-of-the-Practice Service” ]
Much has happened since the 2007 publication of the state-of-the art report Software Security Assurance. On the one
hand, there is now a greater awareness and wider range of resources in response to many of the crucial concerns
described. Yet, the diversity and sophistication of threats has grown perhaps even faster. Our society’s increased
expectations and dependence on technology has made the issue more pressing. Finally, many organizational
changes have both reconfigured and multiplied the participants in the security arena.
This report aims to capture recent trends in the broad themes of software security assurance, defined as the
application of technologies and processes to achieve a required level of confidence that software systems and
services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security
capabilities appropriate to the threat environment, and recover from intrusions and failures. That definition
encompasses system operation (“function in intended manner”), structure (“free from … vulnerabilities”), function
(“provide capabilities”), and strength (“recover from intrusions and failures”).
NIST Special Publication 800-53 Revision 4, citing CNSSI 4009, defines assurance as the
“measure of confidence that the security
features, practices, procedures, and architecture
of an information system accurately mediates
and enforces the security policy.”
This report identifies processes, methods, techniques, activities, and tools for assurance using a systems engineering
approach, as defined in ISO15288 [1]. It focuses on the software elements of the system and specifically addresses
the provision and assurance of security properties throughout the life cycle. That is, the report describes both (a) how
to build into the software those attributes that support the system to achieving its security requirements and (b) how
to assess, at an adequate level of confidence, that those requirements will be met in system operation.
The Software Assurance “universe” [2] is the intersection of many recognized disciplines, which will be recognized
and referenced in this report.
Throughout, tools will be identified that enhance the practicality of the processes and techniques described. Security
metrics will also be discussed wherever possible, to support data-driven decision making.
Cross-references are provided to key framework efforts such as the Software Assurance Professional Competency
Model [3], which identifies ten specialty areas, or competencies, that are mapped to the topics addressed. (See
sample on last page.)
Selected specialty areas within the National Cybersecurity Workforce Framework [4] provide additional crossreferences. The value of this framework is its basis in a wide range of previous efforts to define a body of knowledge
for the disciple, including:



Department of Defense Cybersecurity Workforce Framework
Intelligence Community Cyber Subdirectory
Office of Personnel Management Cybersecurity Model



National Security Agency Computer Network Operations Training Roadmaps
Department of Defense Information Assurance Workforce Improvement Program
Department of Homeland Security Information Technology Security Essential Body of Knowledge
An inventory of professional and technical certifications [5] was also examined for further topics of concern, as were
the draft Cybersecurity Capability Maturity Model from the National Initiative for Cybersecurity Education [6] and a
number of other references as shown.
The primary audience for this document includes:
>Software practitioners involved in the conception, implementation, and assessment of software, especially
software used in DoD and other US Federal Government agencies, or in the improvement of processes by
which such software is conceived, implemented, and assessed.
>Managers and Executives in Software Development Organizations and Software User Organizations: This
document should help them recognize and understand the software security issues that they will need to
address, and subsequently develop and implement effective plans and allocate adequate resources for dealing
with those issues.
To support these primary audiences, each section will begin with a high-level Summary and conclude with specific
Action Items. More technical content will be discussed, and additional external references provided, within the body
of the text for each section.
Readers in the following roles are the intended secondary audiences for this document:
>Systems Engineers and Integrators
>Acquisition Personnel
>Information Assurance Practitioners
>Cyber Security and Network Security Practitioners
>Researchers in academia, industry, and government
Topical Sections
Introduction and Motivation
Systems Engineering
Software Development Life Cycle
Phase-Dependent Activities
Requirements
Design
Implementation
Testing
Acceptance
Operation and Maintenance
Supply Chain … Acquisition (placed earlier?) [Taz]
Phase-Independent Activities
Verification and Validation
Configuration Management
Risk Management
Standards, Guidelines, and Policies
Organizations and Initiatives
Education and Training Resources
Research and Development
References
[1] ISO/IEC 15288: 2008, Systems and software engineering —System life cycle processes
[2] https://buildsecurityin.us-cert.gov/swa/procwg.html
[3] https://buildsecurityin.uscert.gov/swa/downloads/Competency%20Model_Software%20Assurance%20Professional_%2010_05_2012%20final.pdf
[4] http://csrc.nist.gov/nice/framework/
[5] http://niccs.us-cert.gov/sites/default/files/documents/files/Cybersecurity_Certification_inventory_083112.pdf
[6] http://niccs.uscert.gov/sites/default/files/documents/files/NICE_Capability_Maturity_Model_white_paper_082212_DRAFT_NICE_branded.pdf
[partial list of ] Cross-References to be provided in SOAR
Build Security In Maturity Model [http://www.bsimm.com/]
DHS National Cybersecurity Workforce Framework [4]
DHS Software Assurance Professional Competency Model [3]
ISO/IEC 12207:2008, Systems and software engineering -- Software life cycle processes
ISO/IEC 15288: 2008, Systems and software engineering —System life cycle processes
ISO 25010:2011, Systems and software engineering -- Systems and software Quality Requirements and Evaluation (SQuaRE)
-- System and software quality models
ISO/IEC 27001: 2005, Information technology–Security techniques–Information security management systems–Requirements
NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
[http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf]
NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf] no longer draft
NIST Special Publication 800-64 Revision 2, Security Considerations in the System Development Life Cycle
[http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf]
OWASP Software Assurance Maturity Model
[https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model]
Rugged Software Manifesto [http://www.ruggedsoftware.org/]
Sample portion of cross-reference chart
Report Section
Software Assurance
Professional Competency Model
Competency
Introduction and Motivation
Strategic Planning and Policy
Development
Systems Engineering
Security Engineering
National Cybersecurity
Workforce Framework
(selected) Specialty Area
Systems Development
Systems Security Analysis
Software Development Life Cycle
Phase-Dependent Activities
Requirements
Systems Requirements Planning
Systems Requirements Planning
Design
Systems Security Architecture
Systems Security Architecture
Software Assurance and Security
Engineering
Implementation
Operation and Maintenance
Phase-Independent Activities
Test and Evaluation
Verification and Validation
Configuration Management
Information Assurance
Compliance
Risk Management
Cyber Threat Analysis
Information Assurance Compliance
Threat Analysis
Exploitation Analysis
Vulnerability Assessment and
Management
Standards, Guidelines, and Policies
Organizations and Initiatives
Knowledge Management
Education and Training Resources
Education and Training
Research and Development
Technology Research and
Development
Technology Research and
Development