PURPOSE The goal of this pocket guide is to promote the development of educational and training materials and programs to prepare a workforce more capable of securing software and applications. This pocket guide compiles software assurance education and training resources aimed to ensure adequate coverage of requisite knowledge areas and the corresponding roles in the workforce. In doing so it draws upon contributing disciplines such as software engineering (including its many sub-disciplines, such as programming), systems engineering and analysis, project management, etc., to identify and acquire competencies associated with secure software. The Software Assurance Pocket Guide Series is developed in collaboration with the SwA Forum and Working Groups and provides summary material in a more consumable format. The series provides informative material for SwA initiatives that seek to reduce software vulnerabilities, minimize exploitation, and address ways to improve the routine development, acquisition and deployment of trustworthy software products. Together, these activities will enable more secure and reliable software, software that supports mission requirements across enterprises and the critical infrastructure. NO WARRANTY This material is furnished on an “as-is” basis for information only. The authors, contributors, and participants of the SwA Forum and Working Groups, their employers, the U.S. Government, other participating organizations, all other entities associated with this information resource, and entities and products mentioned within this pocket guide make no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose, completeness or merchantability, exclusivity, or results obtained from use of the material. No warranty of any kind is made with respect to freedom from patent, trademark, or copyright infringement. Reference or use of any trademarks is not intended in any way to infringe on the rights of the trademark holder. No warranty is made that use of the information in this pocket guide will result in software that is secure. Examples are for illustrative purposes and are not intended to be used as is or without undergoing analysis. REPRINTS Any Software Assurance Pocket Guide may be reproduced and/or redistributed in its original configuration, within normal distribution channels (including but not limited to on-demand Internet downloads or in various archived/compressed formats). Anyone making further distribution of these pocket guides via reprints may indicate on the back cover of the pocket guide that their organization made the reprints of the document, but the pocket guide should not be otherwise altered. These resources have been developed for information purposes and should be available to all with interests in software security. For more information, including recommendations for modification of SwA pocket guides, please contact Software.Assurance@dhs.gov or visit the Software Assurance Community Resources and Information Clearinghouse: https://buildsecurityin.us-cert.gov/swa to download pocket guide document either format (4”x8” or 8.5”x11”). Software Assurance (SwA) Pocket Guide Series SwA is primarily focused on software security and mitigating risks attributable to software; better enabling resilience in operations. SwA Pocket Guides are provided; with some yet to be published. All are offered as informative resources; not comprehensive in coverage. All are intended as resources for ‘getting started’ with various aspects of software assurance. The planned coverage of topics in the SwA Pocket Guide Series is listed: SwA in Acquisition & Outsourcing I. Software Assurance in Acquisition and Contract Language II. Software Supply Chain Risk Management & Due-Diligence SwA in Development I. Integrating Security into the Software Development Life Cycle II. Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses III. Risk-based Software Security Testing IV. Requirements & Analysis for Secure Software V. Architecture & Design Considerations for Secure Software VI. Secure Coding VII. Security Considerations for Technologies, Methodologies & Languages SwA Life Cycle Support I. SwA in Education, Training & Certification II. Secure Software Distribution, Deployment, & Operations III. Code Transparency & Software Labels IV. Assurance Case Management V. Assurance Process Improvement & Benchmarking VI. Secure Software Environment & Assurance Ecosystem SwA Measurement & Information Needs I. Making Software Security Measurable II. Practical Measurement Framework for SwA & InfoSec III. SwA Business Case & Return on Investment SwA Pocket Guides and related documents are freely available for download via the DHS NCSD Software Assurance Community Resources and Information Clearinghouse at https://buildsecurityin.us-cert.gov/swa

Software Assurance

Education, Training & Certification

Web Guide

PURPOSE

The goal of this pocket guide is to promote the development of educational and training materials and programs to prepare a workforce more capable of securing software and applications.

This pocket guide compiles software assurance education and training resources aimed to ensure adequate coverage of requisite knowledge areas and the corresponding roles in the workforce. In doing so it draws upon contributing disciplines such as software engineering (including its many sub-disciplines, such as programming), systems engineering and analysis, project management, etc., to identify and acquire competencies associated with secure software.

The Software Assurance Pocket Guide Series is developed in collaboration with the SwA Forum and Working Groups and provides summary material in a more consumable format. The series provides informative material for SwA initiatives that seek to reduce software vulnerabilities, minimize exploitation, and address ways to improve the routine development, acquisition and deployment of trustworthy software products. Together, these activities will enable more secure and reliable software, software that supports mission requirements across enterprises and the critical infrastructure.

NO WARRANTY

This material is furnished on an “as-is” basis for information only. The authors, contributors, and participants of the SwA Forum and Working Groups, their employers, the U.S. Government, other participating organizations, all other entities associated with this information resource, and entities and products mentioned within this pocket guide make no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose, completeness or merchantability, exclusivity, or results obtained from use of the material. No warranty of any kind is made with respect to freedom from patent, trademark, or copyright infringement. Reference or use of any trademarks is not intended in any way to infringe on the rights of the trademark holder. No warranty is made that use of the information in this pocket guide will result in software that is secure. Examples are for illustrative purposes and are not intended to be used as is or without undergoing analysis.

REPRINTS

Any Software Assurance Pocket Guide may be reproduced and/or redistributed in its original configuration, within normal distribution channels (including but not limited to on-demand Internet downloads or in various archived/compressed formats).

Anyone making further distribution of these pocket guides via reprints may indicate on the back cover of the pocket guide that their organization made the reprints of the document, but the pocket guide should not be otherwise altered. These resources have been developed for information purposes and should be available to all with interests in software security.

For more information, including recommendations for modification of SwA pocket guides, please contact Software.Assurance@dhs.gov or visit the Software Assurance Community Resources and Information Clearinghouse: https://buildsecurityin.us-cert.gov/swa to download pocket guide document either format (4”x8” or 8.5”x11”).

Software Assurance (SwA) Pocket Guide Series

SwA is primarily focused on software security and mitigating risks attributable to software; better enabling resilience in operations. SwA Pocket Guides are provided; with some yet to be published. All are offered as informative resources; not comprehensive in coverage. All are intended as resources for ‘getting started’ with various aspects of software assurance. The planned coverage of topics in the SwA Pocket Guide Series is listed:

SwA in Acquisition & Outsourcing

I.Software Assurance in Acquisition and Contract Language

II.Software Supply Chain Risk Management & Due-Diligence SwA in Development

I.Integrating Security into the Software Development Life Cycle

II.Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses

III.Risk-based Software Security Testing

IV.Requirements & Analysis for Secure Software

V.Architecture & Design Considerations for Secure Software

VI.Secure Coding

VII.Security Considerations for Technologies, Methodologies & Languages

SwA Life Cycle Support

I.SwA in Education, Training & Certification

II.Secure Software Distribution, Deployment, & Operations

III.Code Transparency & Software Labels

IV.Assurance Case Management

V.Assurance Process Improvement & Benchmarking

VI.Secure Software Environment & Assurance Ecosystem

SwA Measurement & Information Needs

I.Making Software Security Measurable

II.Practical Measurement Framework for SwA & InfoSec

III.SwA Business Case & Return on Investment

SwA Pocket Guides and related documents are freely available for download via the DHS NCSD Software Assurance Community Resources and Information Clearinghouse at https://buildsecurityin.us-cert.gov/swa