Software Assurance
Encyclopedia
Software assurance is defined as “the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner.”
The main objective of software assurance is to ensure that the processes, procedures, and
products used to produce and sustain the software conform to all requirements and standards
specified to govern those processes, procedures, and products. A secondary objective of Software assurance is to insure that the software-intensive systems we produce are more secure.
Contributing SwA disciplines, articulated in Bodies of Knowledge and Core Competencies: Software Engineering, Systems Engineering, Information Systems Security Engineering, Information Assurance, Test and Evaluation, Safety, Security, Project Management, and Software Acquisition.
Software assurance is a strategic initiative of the U.S. Department of Homeland Security (DHS) to promote integrity, security, and reliability in software. The SwA Program is based upon the National Strategy to Secure Cyberspace - Action/Recommendation 2-14:
“DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.”
, software assurance relates to "the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software."
SAMATE project, software assurance is "the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures to help achieve:
, Software Assurance is “justifiable trustworthiness in meeting established business and security objectives.”
OMG's SwA Special Interest Group (SIG), works with Platform and Domain Task Forces and other software industry entities and groups external to the OMG, to coordinate the establishment of a common framework for analysis and exchange of information related to software trustworthiness by facilitating the development of a specification for a Software Assurance Framework that will:
As indicated in the Webopedia definition, the term "software assurance" has been used as a shorthand for Software Quality Assurance (SQA) when not necessarily considering security or trustworthiness. SQA is defined in the Handbook of Software Quality Assurance as: "the set of systematic activities providing evidence of the ability of the software process to produce a software product that is fit to use."
functions—from national defense to banking to healthcare to telecommunications to aviation
to control of hazardous materials—depend on the on the correct, predictable operation of
software. It is safe to say that in today’s world, these and myriad other activities and functions
would become hopelessly crippled if not completely impossible were the software-intensive
systems that they rely on to fail.
The main objective of software assurance is to ensure that the processes, procedures, and
products used to produce and sustain the software conform to all requirements and standards
specified to govern those processes, procedures, and products. A secondary objective of Software assurance is to insure that the software-intensive systems we produce are more secure.
Department of Homeland Security (DHS)
According to the DHS, software assurance addresses:- Trustworthiness - No exploitable vulnerabilities exist, either maliciously or unintentionally inserted;
- Predictable Execution - Justifiable confidence that software, when executed, functions as intended;
- Conformance - Planned and systematic set of multi-disciplinary activities that ensure software processes and products conform to requirements, standards/ procedures.
Contributing SwA disciplines, articulated in Bodies of Knowledge and Core Competencies: Software Engineering, Systems Engineering, Information Systems Security Engineering, Information Assurance, Test and Evaluation, Safety, Security, Project Management, and Software Acquisition.
Software assurance is a strategic initiative of the U.S. Department of Homeland Security (DHS) to promote integrity, security, and reliability in software. The SwA Program is based upon the National Strategy to Secure Cyberspace - Action/Recommendation 2-14:
“DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.”
United States Department of Defense (DoD)
According to the DoDUnited States Department of Defense
The United States Department of Defense is the U.S...
, software assurance relates to "the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software."
Software Assurance Metrics and Tool Evaluation (SAMATE) project
According to the NISTNational Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
SAMATE project, software assurance is "the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures to help achieve:
- Trustworthiness - No exploitable vulnerabilities exist, either of malicious or unintentional origin, and
- Predictable Execution - Justifiable confidence that software, when executed, functions as intended."
National Aeronautics and Space Administration (NASA)
According to NASA, software assurance is a "planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures. It includes the disciplines of Quality Assurance, Quality Engineering, Verification and Validation, Nonconformance Reporting and Corrective Action, Safety Assurance, and Security Assurance and their application during a software life cycle." The NASA Software Assurance Standard also states: "The application of these disciplines during a software development life cycle is called Software Assurance."Object Management Group (OMG)
According to the OMGObject Management Group
Object Management Group is a consortium, originally aimed at setting standards for distributed object-oriented systems, and is now focused on modeling and model-based standards.- Overview :...
, Software Assurance is “justifiable trustworthiness in meeting established business and security objectives.”
OMG's SwA Special Interest Group (SIG), works with Platform and Domain Task Forces and other software industry entities and groups external to the OMG, to coordinate the establishment of a common framework for analysis and exchange of information related to software trustworthiness by facilitating the development of a specification for a Software Assurance Framework that will:
- Establish a common framework of software properties that can be used to represent any/all classes of software so software suppliers and acquirers can represent their claims and arguments(respectively), along with the corresponding evidence, employing automated tools (to address scale)
- Verify that products have sufficiently satisfied these characteristics in advance of product acquisition, so that system engineers/integrators can use these products to build (compose) larger assured systems with them
- Enable industry to improve visibility into the current status of software assurance during development of its software
- Enable industry to develop automated tools that support the common framework.
Software Assurance Forum for Excellence in Code (SAFECode)
According to SAFECode, software assurance is “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.”Webopedia
According to Webopedia, Software Quality Assurance, abbreviated as SQA, and also called "software assurance", is a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or inserted at anytime during its lifecycle, and that the software functions in the intended manner."As indicated in the Webopedia definition, the term "software assurance" has been used as a shorthand for Software Quality Assurance (SQA) when not necessarily considering security or trustworthiness. SQA is defined in the Handbook of Software Quality Assurance as: "the set of systematic activities providing evidence of the ability of the software process to produce a software product that is fit to use."
Why Does Software Assurance Matter?
The reason software assurance matters is that so many business activities and criticalfunctions—from national defense to banking to healthcare to telecommunications to aviation
to control of hazardous materials—depend on the on the correct, predictable operation of
software. It is safe to say that in today’s world, these and myriad other activities and functions
would become hopelessly crippled if not completely impossible were the software-intensive
systems that they rely on to fail.
External links
- DHS "Build Security In" information resource
- DHS Software Assurance (SwA)
- DHS SwA Community of Practice portal
- NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project
- Object Management Group SwA SIG
- Software Assurance Consortium
- Software Assurance Forum for Excellence in Code (SAFECode)
- NASA Software Assurance Guidebook and Standard (see quality assurance in IEEE 610.12 IEEE Standard Glossary of Software Engineering Terminology).
- Software Security Assurance State of the Art Report (SOAR)