Software Engineering Institute

The Software Assurance (SwA) Evaluation was created to assess an organization’s systems development and operations practices. It identifies potential vulnerabilities and opportunities to improve and secure processes across six Secure Software Development Lifecycle (S-SDLC) phases: Governance, Requirements, Architecture and Design, Development, Test, and Delivery. For each phase, a list of recommended security activities has been identified to promote awareness of modern best practices. The Software Assurance Guidance and Evaluation (SAGE) tool works with the SwA Evaluation to provide an organization with situational awareness about which security-focused practices are already in use to reduce the risks of software failure throughout the SDLC and to inform a SwA Evaluation team about any corrective actions that need to take place during the SDLC. This SAGE tool is composed of two complementary parts: a questionnaire section, which can be distributed to different teams across the software development and operations areas in an organization, and a guidance section, containing a compendium of best practices executed today in both industry and government settings. Both the questions and guidance draw from modern practices used in software design, development, test, and operation and are distributed across the software production and operation phases.