This report seeks to identify the Top 25 Most Dangerous Programming Errors. The Department of Homeland Security and the National Security Agency funded it in an effort to educate programmers. It was managed by MITRE and the SANS Institute and the major errors were divided into three categories: the Insecure Interaction between Components, the Risky Resource Management, and the Porous Defenses.
Build Security in Maturity Model (BSIMM)
The Build Security In Maturity Model (BSIMM) is a set of software security activities identified in a survey of the software security initiatives of nine companies. The activities were grouped into a Software Security Framework, which can be used as a yardstick for other organizations to assess their software security measures. The report was released on March 4, 2009.
Consensus Audit Guidelines
This report identifies 20 specific security controls that are essential for blocking known high-priority attacks. A consortium of federal agencies and private organizations identified that the first 15 controls could be monitored automatically and continuously while the last five needed to be monitored manually. It is also important to note that Critical Control number seven addressed the Application Software Security.
CSIS Report on “Securing Cyberspace for the 44th Presidency”
This report outlined the three major findings on Cybersecurity for the 44th President of the United States. The report stated that Cybersecurity is one of the major national security problems facing the United States, the decisions and actions must respect American values related to privacy and civil liberties, and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation. The commission also recommends that the president work with industry to develop and implement security guidelines for the procurement of IT products with software as the top priority.
Software Security Assurance: State-of-the-Art-Report, Information Assurance Technology Analysis Center (IATAC) and Data Analysis Center for Software (DACS), July 31, 2007
This report identifies the current "state-of-the-art" in software security assurance. The document, a joint collaboration between the Department of Defense's Information Assurance Technology Analysis Center and Data Analysis Center for Software, provides an overview of current and emerging activities and organizations involved in promoting various aspects of software security assurance and describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying secure software.
James Lewis, Foreign Influence on Software: Risks and Recourse, CSIS Report, March 2007
The report examines the risks associated with global software supply chain and provides recommendations on how to mitigate these risks.
James Lewis Report
Processes to Produce Secure Software: Towards More Secure Software, National Cyber Security Summit, March 2004.
The report is a product of the Software Process Subgroup of the Security-across-the-Software-Development-Lifecycle Task Force of the National Cyber Security Summit. The report defines a path for software producers to follow in producing secure software and it includes recommendations to software producing organizations, educators, and the Department of Homeland Security (DHS) on how to motivate and aid software producers in following these recommendations.
Software for Dependable Systems: Sufficient Evidence? Committee on Certifiably Dependable Software Systems, National Research Council, 2007.
This report examines how software and the systems that rely on it can be made dependable in a cost-effective manner, and how assurance that dependability has been achieved can be obtained. The focus of the report is a set of fundamental principles that underlie software system dependability and that suggest a different approach to the development and assessment of dependable software.
Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks, GAO Report to Congressional Requesters, May 2004.
This study by the Government Accountability Office concludes that DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software. To address this problem, GAO recommends that DOD better define software security requirements and require program managers to mitigate associated risks accordingly.
House of Lords Science and Technology Committee on Personal Internet Security
This report argues that governments must do more provide incentives to information and communications technology vendors to do more to promote personal security on the internet. Recommendations urge government action to create "a flexible mix of incentives, regulation, and direct investment to galvanize the key stakeholders."
The NDIA Systems Assurance Guidebook Project
This guidebook provides system, software and process guidance to increase the level of assurance across the system lifecycle. The guidebook is built on ISO and IEEE systems lifecycle specifications delivering a prescription for engineers who are seeking specific instruction on the incorporation of security and assurance measures to help manage the criticality of their target system as well as the components that make up the system.
Based in Cybejaya, Malaysia, the International Multilateral Partnership Against Cyber Threats (IMPACT) is a multilateral collaboration effort, which exchanges ideas, best practices and shared skills to combat cyber threats.
Build Security In (BSI)
Build Security In is a project of the Software Assurance program of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps to create secure systems.
CESG Assurance Model
CESG is the Information Assurance (IA) arm of GCHQ and the UK Government's National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing.
The new CESG Assurance Model is a framework that takes a 'whole-life' view of assurance. CESG believes it will help address some of the challenges the Government community (and its partners) face in developing ICT systems in today's increasingly complex and joined-up world.
Common Criteria Portal
The Common Criteria Portal is the official website of the Common Criteria Project, a central and geographically neutral site containing information about the Common Criteria.
The European Network and Information Security Agency and the ITU (International Telecommunication Union)
The European Network and Information Security Agency together with the International Telecommunication Union, launched a new portal for IT security standards, for the first time giving Europe one, single access point for IT security standards.
Federal Information Security Management Act (FISMA) Implementation Project
The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents are being developed in support of the project while not called out directly in the FISMA legislation. These publications include NIST Special Publications 800-37, 800-53, and 800-53A.
The Federal Office for Information Security (BSI)
The Federal Office for Information Security (BSI) is the central IT security service provider for the German government. BSI conducts basic research within the area of IT security with services aimed at the users and manufacturers of information technology products.
ICT Security Standards Roadmap
The ICT Security Standards Roadmap has been developed to assist in the development of security standards by bringing together information about existing standards and current standards work in key standards development organizations.
NIST'S Computer Security Division
The Computer Security Division (CSD) responds to the Federal Information Security Management Act of 2002. The NIST CSD operates the FIPS 140 testing program in addition to other programs.
Purdue University Secure Programming Curriculum
Pascal Meunier has developed this curriculum to teach secure programming skills to developers. The material is an excellent resource for all developers.
Software Assurance Metrics And Tool Evaluation (SAMATE) -- NIST
This project supports the DHS Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods.