Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products.[1] It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).[2]
Another vital aspect of software assurance is testing, which should be conducted at various stages of the software development process and can include functional testing, performance testing, and security testing.[3] Testing helps to identify any defects or vulnerabilities in software products before they are released. Furthermore, software assurance involves organizational and management practices like risk management and quality management to ensure that software products meet the needs and expectations of stakeholders.[4]
Software assurance aims to ensure that software is free from vulnerabilities and functions as intended, conforming to all requirements and standards governing the software development process.[3] Additionally, software assurance aims to produce software-intensive systems that are more secure. To achieve this, a preventive dynamic and static analysis of potential vulnerabilities is required, and a holistic, system-level understanding is recommended. Architectural risk analysis plays an essential role in any software security program, as design flaws account for 50% of security problems, and they cannot be found by staring at code alone.[5]
By following industry-accepted standards and best practices, incorporating testing and management practices, and conducting architectural risk analysis, software assurance can minimize the risk of system failures and security breaches, making it a critical aspect of software development.
Software assurance initiatives are programs and activities designed to ensure the quality, reliability, and security of software systems. These initiatives are important because software is used in a wide range of applications, from business operations to critical infrastructure, and defects or vulnerabilities in software can have serious consequences.
There are several types of software assurance initiatives, including:
In today's digital world, software is used to control a wide range of devices and systems, including cars, medical devices, financial systems, and military equipment. Ensuring the reliability, safety, and security of software products is therefore critical. Without proper testing and verification, software can contain defects and vulnerabilities that can lead to system failures, security breaches, and other serious problems with negative consequences for individuals, businesses, and society as a whole.[9]
The National Institute of Standards and Technology (NIST) defines software assurance as "the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner"[22]. Organizations can reduce the risk of costly system failures, data breaches, and other negative outcomes by ensuring software assurance.
In addition to the potential risks associated with software defects and vulnerabilities, there are legal and regulatory requirements related to software assurance. Failure to comply with these regulations can result in legal and financial penalties. For example, organizations that develop software for certain industries may be subject to regulations that require them to ensure the safety and security of their products.
Many critical functions, such as national defense, banking, healthcare, telecommunications, aviation, and control of hazardous materials, depend on the correct and predictable operation of software.[10] If the software-intensive systems that support these activities fail, they could be seriously disrupted. Therefore, it is essential for organizations to implement software testing and verification techniques and tools to reduce the risk of system failures and security breaches.
Software assurance is executed through a series of activities that aim to ensure the reliability, safety, and security of software products. These activities include requirements analysis, design reviews, code inspections, testing, and formal verification.[1]
Software testing and verification are techniques used to identify and address defects and vulnerabilities in software code. There are several types of testing and verification techniques, including functional testing, performance testing, and security testing.[3]
Software testing and verification tools are used to identify and address defects and vulnerabilities in software code. There are several types of testing and verification tools, including:
According to the DHS, software assurance addresses:
Contributing SwA disciplines, articulated in bodies of knowledge and core competencies: software engineering, systems engineering, information systems security engineering, information assurance, test and evaluation, safety, security, project management, and software acquisition.[16]
Software assurance is a strategic initiative of the US Department of Homeland Security (DHS) to promote integrity, security, and reliability in software. The SwA Program is based upon the National Strategy to Secure Cyberspace - Action/Recommendation 2-14:
“DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.”[17] There are open-source software tools for software assurance that help identify potential security vulnerabilities.[18]
For the DoD, SwA is defined as "the level of confidence that software functions only as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle.[19] DoD is developing SwA as a sound systems engineering practice as demonstrated by two recent publications funded by JFAC with development led by the Software Engineering Institute (SEI) and expert practitioners within the Military Services and NSA. The Program Manager's SwA Guidebook shows how SwA should be planned, resourced, and managed while the Developer's SwA Guidebook recommends tailorable technical practices throughout the life cycle.[20] Both of these documents are the first of their kind, and awarded.[21] The two enterprise-scale organizations in DoD building SwA capability are the Joint Federated Assurance Center (JFAC)[22] and the DoD SwA Community of practice which has operated as a quarterly collegial forum 32 consecutive gatherings. Both are open to other parts of the US Government. The JFAC Charter is available at its website. To develop wider situational awareness of the families of SwA tools commercially available, JFAC funded the Institute for Defense Analysis (IDA) to produce the State of the Art Resource (SOAR).[23] A recent innovation in "engineering-in" SwA throughout the life cycle is coupling selected NIST 800-53 controls to engineering tasks so that the engineering results define the Risk Management Framework (RMF) and drive the Authority to Operate (ATO). A package including Data Item Descriptions (DIDs), machine-readable vulnerability report formats, and a brief overviewing application of the techniques is available at the JFAC website. Other disruptive innovations are in process.
According to the NIST SAMATE project,[24] software assurance is "the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures to help achieve:
According to NASA, software assurance is a "planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures. It includes the disciplines of quality assurance, quality engineering, verification and validation, nonconformance reporting and corrective action, safety assurance, and security assurance and their application during a software life cycle." The NASA Software Assurance Standard also states: "The application of these disciplines during a software development life cycle is called software assurance."[25]
According to the OMG, software assurance is “justifiable trustworthiness in meeting established business and security objectives.”[26]
OMG's SwA Special Interest Group (SIG),[27] works with Platform and Domain Task Forces and other software industry entities and groups external to the OMG, to coordinate the establishment of a common framework for analysis and exchange of information related to software trustworthiness by facilitating the development of a specification for a Software Assurance Framework [28] that will:
According to SAFECode, software assurance is “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.”[29]