The Software Security Assurance (SSA) team focuses on addressing security in the early life-cycle phases of acquisition and software development. Building security into software requires considerations beyond basic authentication/authorization and mandated operational compliance to identify and address the threat environment in which the resulting operational system must function. With greater security preparation, organizations have seen major reductions in operational vulnerabilities resulting in reductions in software patching. For example, Microsoft's own data shows that the patch levels for versions of Windows that were developed after the security "push" are half of what they were for earlier versions.
Current approaches for software engineering apply a blend of training, frameworks, methods, tools, assessments, and best practices. Engineering software for effective security requires addressing all of these aspects to provide the ability to incorporate security as needed. The SSA team has developed frameworks, methods, assessments, and tools to support measurements and best practices identified to improve operational security and provide program management the ability to monitor software engineering to ensure effective consideration of security. A major gap in the security education of software engineers is being addressed through the development of curricula for colleges and universities. Transitioning the results of this research is a critical focus for SSA.
One unexpected finding of the team's research is that developing additional practices won't enable more organizations to implement software assurance into their life cycle. Instead, there's a critical need for better integration into the way software is designed and built. Wholesale change is difficult for organizations. So the SSA team has been developing practical guidelines and techniques and then piloting them to show results that are able to be replicated. If organizations can see it works, there's a better chance they'll implement it.
"It's like creating a cookbook," says Carol Woody, technical manager for SSA. "You build the recipe and then someone has to figure out how to cook it in their kitchen. We're developing customizable frameworks, methods, and techniques that organizations can tailor to their existing software acquisition and engineering practices."
The team worked on the following major research projects in 2010, collaborating with researchers in other SEI teams, at CMU, and at other universities and organizations world-wide.