 |
|
|
|||||||||||||
 |
|
||||||||||||||
 |
|||||
SAFECode RESOURCES > |
|
||||
PAPERS
Software Security Assurance: State-of-the-Art-Report, Information Assurance Technology Analysis Center (IATAC) and Data Analysis Center for Software (DACS), July 31, 2007
This report identifies the current "state-of-the-art" in software security assurance. The document, a joint collaboration between the Department of Defense's Information Assurance Technology Analysis Center and Data Analysis Center for Software, provides an overview of current and emerging activities and organizations involved in promoting various aspects of software security assurance and describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying secure software. http://iac.dtic.mil/iatac/download/security.pdf
The report examines the risks associated with global software supply chain and provides recommendations on how to mitigate these risks.
http://www.csis.org/index.php?option=com_csis_pubs&task=view&id=3772
The report is a product of the Software Process Subgroup of the Security-across-the-Software-Development-Lifecycle Task Force of the National Cyber Security Summit. The report defines a path for software producers to follow in producing secure software and it includes recommendations to software producing organizations, educators, and the Department of Homeland Security (DHS) on how to motivate and aid software producers in following these recommendations. http://www.cigital.com/papers/download/secure_software_process.pdf
This report examines how software and the systems that rely on it can be made dependable in a cost-effective manner, and how assurance that dependability has been achieved can be obtained. The focus of the report is a set of fundamental principles that underlie software system dependability and that suggest a different approach to the development and assessment of dependable software. http://books.nap.edu/catalog.php?record_id=11923#toc
This study by the Government Accountability Office concludes that DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software. To address this problem, GAO recommends that DOD better define software security requirements and require program managers to mitigate associated risks accordingly. http://www.gao.gov/new.items/d04678.pdf
This report argues that governments must do more provide incentives to information and communications technology vendors to do more to promote personal security on the internet. Recommendations urge government action to create "a flexible mix of incentives, regulation, and direct investment to galvanize the key stakeholders." http://www.parliament.uk/parliamentary_committees/lords_s_t_select/internet.cfm
This guidebook provides system, software and process guidance to increase the level of assurance across the system lifecycle. The guidebook is built on ISO and IEEE systems lifecycle specifications delivering a prescription for engineers who are seeking specific instruction on the incorporation of security and assurance measures to help manage the criticality of their target system as well as the components that make up the system. http://www.itaa.org/upload/es/docs/Systems_Assurance_Guidebook_2_Aug_2007.doc |
|||||
ORGANIZATIONS
Build Security In (BSI)
Build Security In is a project of the Software Assurance program of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps to create secure systems. https://buildsecurityin.us-cert.gov/ CESG Assurance Model
CESG is the Information Assurance (IA) arm of GCHQ and the UK Government's National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing. http://www.cesg.gov.uk/site/model/index.cfm Common Criteria Portal The Common Criteria Portal is the official website of the Common Criteria Project, a central and geographically neutral site containing information about the Common Criteria. http://www.commoncriteriaportal.org The European Network and Information Security Agency and the ITU (International Telecommunication Union) The European Network and Information Security Agency together with the International Telecommunication Union, launched a new portal for IT security standards, for the first time giving Europe one, single access point for IT security standards. http://www.itu.int/ITU-T/studygroups/com17/ict/ Federal Information Security Management Act (FISMA) Implementation Project The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents are being developed in support of the project while not called out directly in the FISMA legislation. These publications include NIST Special Publications 800-37, 800-53, and 800-53A. http://csrc.nist.gov/sec-cert/ The Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the central IT security service provider for the German government. BSI conducts basic research within the area of IT security with services aimed at the users and manufacturers of information technology products. http://www.bsi.bund.de/english/publications/index.htm The Global Cybersecurity Agenda The Global Cybersecurity Agenda (GCA) is an ITU framework for international cooperation aimed at proposing strategies for solutions to enhance confidence and security in the information society. It will build on existing national and regional initiatives to avoid duplication of work and encourage collaboration amongst all relevant partners. http://www.itu.int/osg/csd/cybersecurity/gca/goals.html ICT Security Standards Roadmap The ICT Security Standards Roadmap has been developed to assist in the development of security standards by bringing together information about existing standards and current standards work in key standards development organizations. http://www.itu.int/ITU-T/studygroups/com17/ict/ NIST'S Computer Security Division The Computer Security Division (CSD) responds to the Federal Information Security Management Act of 2002. The NIST CSD operates the FIPS 140 testing program in addition to other programs. http://csrc.nist.gov/groups/STM/index.html Purdue University Secure Programming Curriculum Pascal Meunier has developed this curriculum to teach secure programming skills to developers. The material is an excellent resource for all developers. http://homes.cerias.purdue.edu/~pmeunier/aboutme/teaching.html Software Assurance Metrics And Tool Evaluation (SAMATE) -- NIST This project supports the DHS Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods. |
|||||
|
© 2007-2008 Software Assurance Forum for Excellence in Code (SAFECode) - All Rights Reserved |