Software Assurance


Software Assurance

Software Assurance (SwA) is defined as “the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner.” ["National Information Assurance Glossary"; CNSS Instruction No. 4009 National Information Assurance Glossary]

Alternate definitions

Department of Homeland Security (DHS)

According to the DHS, software assurance addresses:
* Trustworthiness - No exploitable vulnerabilities exist, either maliciously or unintentionally inserted;
* Predictable Execution - Justifiable confidence that software, when executed, functions as intended;
* Conformance - Planned and systematic set of multi-disciplinary activities that ensure software processes and products conform to requirements, standards/ procedures.

Contributing SwA disciplines, articulated in Bodies of Knowledge and Core Competencies: Software Engineering, Systems Engineering, Information Systems Security Engineering, Information Assurance, Test and Evaluation, Safety, Security, Project Management, and Software Acquisition. [ [https://buildsecurityin.us-cert.gov/portal DHS Build Security In web portal] ]

Software Assurance is a strategic initiative of the U.S. Department of Homeland Security (DHS) to promote integrity, security, and reliability in software. The SwA Program is based upon the National Strategy to Secure Cyberspace - Action/Recommendation 2-14:

“DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.” [ [https://buildsecurityin.us-cert.gov/portal Build Security In Home ] ]

United States Department of Defense (DoD)

According to the DoD, software assurance relates to "the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software." [ [https://acc.dau.mil/CommunityBrowser.aspx?id=25749 DoD Software Assurance Initiative] 13 September 2005]

National Institute of Standards and Technology (NIST)

According to the NIST, software assurance is "the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures to help achieve:

* Trustworthiness - No exploitable vulnerabilities exist, either of malicious or unintentional origin, and
* Predictable Execution - Justifiable confidence that software, when executed, functions as intended." [ [http://samate.nist.gov/ NIST SAMATE project] ]

Software Assurance Metrics and Tool Evaluation (SAMATE) is a [http://www.nist.gov/ NIST] project that supports the DHS Software Assurance Program in the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods. [ [http://samate.nist.gov/ Main Page - SAMATE ] ]

National Aeronautics and Space Administration (NASA)

According to NASA, Software Assurance is a "planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures. It includes the disciplines of Quality Assurance, Quality Engineering, Verification and Validation, Nonconformance Reporting and Corrective Action, Safety Assurance, and Security Assurance and their application during a software life cycle." The NASA Software Assurance Standard also states: "The application of these disciplines during a software development life cycle is called Software Assurance." [ [http://satc.gsfc.nasa.gov/assure/assurepage.html NASA-STD-2201-93] "Software Assurance Standard", 10 November 1992]

Object Management Group (OMG)

According to the OMG, Software Assurance is “justifiable trustworthiness in meeting established business and security objectives.” [OMG Software Assurance (SwA) Special Interest Group (SIG) http://adm.omg.org/SoftwareAssurance.pdf and http://swa.omg.org/docs/softwareassurance.v3.pdf]

OMG's SwA Special Interest Group (SIG), [ [http://swa.omg.org OMG SwA SIG ] ] works with Platform and Domain Task Forces and other software industry entities and groups external to the OMG, to coordinate the establishment of a common framework for analysis and exchange of information related to software trustworthiness by facilitating the development of a specification for a Software Assurance Framework that will:

* Establish a common framework of software properties that can be used to represent any/all classes of software so software suppliers and acquirers can represent their claims and arguments(respectively), along with the corresponding evidence, employing automated tools (to address scale)
* Verify that products have sufficiently satisfied these characteristics in advance of product acquisition, so that system engineers/integrators can use these products to build (compose) larger assured systems with them
* Enable industry to improve visibility into the current status of software assurance during development of its software
* Enable industry to develop automated tools that support the common framework.

oftware Assurance Forum for Excellence in Code (SAFECode)

According to SAFECode, Software Assurance is “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.” [ [http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf “Software Assurance: An Overview of Current Industry Best Practices”, February 2008] ]

Webopedia

According to Webopedia, Software Quality Assurance, abbreviated as SQA, and also called "software assurance", is a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or inserted at anytime during its lifecycle, and that the software functions in the intended manner." [ [http://www.webopedia.com/TERM/S/Software_Quality_Assurance.html Webopedia on-line encyclopedia] ]

As indicated in the Webopedia definition, the term "software assurance" has been used as a shorthand for Software Quality Assurance (SQA) when not necessarily considering security or trustworthiness. SQA is defined in the "Handbook of Software Quality Assurance" as: "the set of systematic activities providing evidence of the ability of the software process to produce a software product that is fit to use." [G. Gordon Schulmeyer and James I. McManus, "Handbook of Software Quality Assurance", 3rd Edition (Prentice Hall PRT, 1998)]

ee also

* Software Quality Assurance
* Software Security Assurance State of the Art Report (SOAR): [ [http://iac.dtic.mil/iatac/download/security.pdf Software Security Assurance State of the Art Report (SOAR)] ] a comprehensive resource which represents an output of collaborative efforts of organizations and individuals in the SwA Forum and Working Groups. The SOAR provides an overview of the current state of the environment in which software must operate and surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. The report also describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying software that can, with a justifiable degree of confidence, be said to be secure. The report also presents observations about noteworthy trends in software security assurance as a discipline.

References

External links

* [https://buildsecurityin.us-cert.gov/ DHS "Build Security In" information resource]
* [http://www.us-cert.gov/swa/ DHS Software Assurance (SwA)]
* [https://buildsecurityin.us-cert.gov/swa/index.html DHS SwA Community of Practice portal]
* [http://samate.nist.gov/ NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project]
* [http://swa.omg.org/ Object Management Group SwA SIG]
* [http://swaconsortium.org/ Software Assurance Consortium]
* [http://www.safecode.org/ Software Assurance Forum for Excellence in Code (SAFECode)]
* [http://satc.gsfc.nasa.gov/assure/assurepage.html NASA Software Assurance Guidebook and Standard] (see quality assurance in IEEE 610.12 IEEE Standard Glossary of Software Engineering Terminology).


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Software Assurance Technology Center — The Software Assurance Technology Center (SATC) is a NASA department founded in 1992 as part of their Systems Reliability and Safety Office at GSFC. Its purpose was to become a center of excellence in software assurance, dedicated to making… …   Wikipedia

  • Microsoft Software Assurance — (SA) is a Microsoft maintenance program aimed at business users who use Microsoft Windows, Microsoft Office, and other server and desktop applications. The core premise behind SA is to give users the ability to spread their payments for the… …   Wikipedia

  • Software quality assurance — (SQA) consists of a means of monitoring the software engineering processes and methods used to ensure quality. It does this by means of audits of the quality management system under which the software system is created. These audits are backed by …   Wikipedia

  • Software System Safety — In Software Engineering, Software System Safety optimizes system safety in the design, development, use, and maintenance of software systems and their integration with safety critical hardware systems in an operational environment.… …   Wikipedia

  • Software Security Assurance — Software is itself a resource and thus must be afforded appropriate security. Software also contains and controls data and other resources. Therefore, it must be designed and implemented to protect those resources. Software Security Assurance is… …   Wikipedia

  • Software testing — is an empirical investigation conducted to provide stakeholders with information about the quality of the product or service under test [ [http://www.kaner.com/pdfs/ETatQAI.pdf Exploratory Testing] , Cem Kaner, Florida Institute of Technology,… …   Wikipedia

  • Software development process — Activities and steps Requirements Specification …   Wikipedia

  • Software quality control — (also known as Verification and Validation) consists of a means of controlling the quality of software engineering products. It does this by means of tests of the software system. These tests can be unit tests, integration tests, or system tests …   Wikipedia

  • Software testing outsourcing — provides for software testing carried out by the forces of an additionally engaged company or a group of people not directly involved in the process of software development. Contemporary testing outsourcing is an independent IT field , the so… …   Wikipedia

  • Software Quality Assurance Plan — o SQAP (es decir, Plan de Garantía de Calidad de Software) es un documento que organiza el desarrollo del software con el fin de que el proceso de creación de este siga unas pautas que aseguren la calidad del resultado. Este plan de garantía… …   Wikipedia Español


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.