Improving Software Assurance
July 2013 • White Paper
Carol Woody, Robert J. Ellison
In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
Software assurance objectives include reducing the likelihood of vulnerabilities such as those on a Top 25 Common Weakness Enumeration (CWE) list and increasing confidence that the system behaves as expected. Practitioners should understand where to look, what to look for, and how to demonstrate improvement.
For practitioners who want to delve deeper into software assurance, the BSI website provides a wealth of information to aid in tying security into all development activities. For example, the BSI website includes a number of papers that were presented at the Making the Business Case for Software Assurance Workshop in September 2008. Today, more than 25 large-scale software security initiatives are underway in organizations as diverse as multi-national banks, independent software vendors, the U.S. Air Force, and embedded systems manufacturers. The Software Assurance Forum for Excellence in Code (SAFECode), an industry-leading non-profit organization that focuses on the advancement of effective software assurance methods, published a report on secure software development [Simpson 2008]. In 2009, the first version of The Building Security In Maturity Model (BSIMM) was published [McGraw 2009]. BSIMM was created from a survey of nine organizations with active software security initiatives the authors considered to be the most advanced. The nine organizations were drawn from three verticals: four financial services firms, three independent software vendors, and two technology firms. Those companies among the nine who agreed to be identified include Adobe, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo.