software assurance: an overview of current industry best practices
DESCRIPTION
Software Assurance: An Overview of Current Industry Best Practices. Randy Beavers CS 585 – Computer Security February 19, 2009. Software Assurance: An Overview of Current Industry Best Practices. Summary of Paper. Software underpins information infrastructure. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/1.jpg)
Randy BeaversCS 585 – Computer
Security February 19, 2009
![Page 2: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/2.jpg)
Software underpins information infrastructure.
Organizations widely and increasingly use COTS software.
Cyber attacks are becoming more stealthy and sophisticated, creating a complex environment.
Software Assurance:An Overview of Current Industry Best Practices
![Page 3: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/3.jpg)
Vendors have undertaken significant efforts to improve and protect software integrity.
Software Assurance critical to public safety and economic and national security.
Shows how SAFECode members approach software assurance, and how to use best practices for software development.
Software Assurance:An Overview of Current Industry Best Practices
![Page 4: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/4.jpg)
Software Assurance Forum for Excellence in Code. A non-profit organization exclusively dedicate to
increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.
Software Assurance:An Overview of Current Industry Best Practices
![Page 5: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/5.jpg)
EMC Corporation Juniper Networks, Inc. Microsoft Corporation SAP AG Symantec Corporation Website: www.safecode.org
Founded by:
Software Assurance:An Overview of Current Industry Best Practices
![Page 6: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/6.jpg)
The Challenge of Software Assurance and Security
Software Assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intended while mitigating the risks of vulnerabilities, malicious code or defects that could bring harm to the end user.
Software Assurance:An Overview of Current Industry Best Practices
![Page 7: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/7.jpg)
Vital to ensuring the security of critical information.
Information and communications technology vendors have responsibility to address assurance in every stage of application development.
Integrators, operators, and end users share responsibility for ensuring security of critical information systems.
Software Assurance:
Software Assurance:An Overview of Current Industry Best Practices
![Page 8: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/8.jpg)
Software assurance risks faced by users today can be categorized in three areas:
1. Accidental design or implementation errors.
2. The changing technological environment.
3. Malicious insiders.
Software Assurance:An Overview of Current Industry Best Practices
![Page 9: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/9.jpg)
Inadvertently create faulty software design or implementation highlights risk area for:
◦ Hackers◦ Viruses◦ Worms◦ Other malicious attacks
Software Assurance:An Overview of Current Industry Best Practices
Developers address risks through:
oTraining.oUse of secure development practices and tools.
![Page 10: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/10.jpg)
Rapid change and innovation are characteristics of the IT industry.
Criminals can and do innovate also. They have created a complex and lucrative criminal economy.
The process is one of on-going improvement as new threats are created, and new countermeasures developed and implemented.
Software Assurance:An Overview of Current Industry Best Practices
![Page 11: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/11.jpg)
Growing concern that global software development processes could be exploited by a rogue programmer or organized group of programmers.
There are proven best practices that companies use to manage their unique development infrastructure and business models.
Software Assurance:An Overview of Current Industry Best Practices
![Page 12: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/12.jpg)
Vendors have responsibility and business incentive to ensure product assurance and security.
Customers demand software be secure and reliable.
Vendors must protect brand names and company reputations.
Software Assurance:An Overview of Current Industry Best Practices
![Page 13: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/13.jpg)
Software development varies by vendor and unique products, organizational structure, and customer requirements.
No single method that yields software assurance and security.
Regardless, there is a core of best practices for software assurance and security.
Software Assurance:An Overview of Current Industry Best Practices
![Page 14: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/14.jpg)
Software Assurance:An Overview of Current Industry Best Practices
![Page 15: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/15.jpg)
Across SAFECode’s membership, security bestpractices and controls are well established:
Software Assurance:An Overview of Current Industry Best Practices
Security Training Security DocumentationDefining Security Requirements
Security Readiness
Secure Design Security ResponseSecure Coding Integrity VerificationSecure Source Code Handling Security ResearchSecurity Testing Security Evangelism
![Page 16: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/16.jpg)
INTEGRATORS. Work in partnership with vendors to mitigate
vulnerabilities. OPERATORS.
Must deploy standard layered defense security measures.
END USERS. Responsible software use a requirement for software
assurance and security.
Software Assurance:An Overview of Current Industry Best Practices
![Page 17: Software Assurance: An Overview of Current Industry Best Practices](https://reader034.vdocuments.net/reader034/viewer/2022042718/56815fb3550346895dceb03b/html5/thumbnails/17.jpg)
www.safecode.org