Current events related to cybersecurity encourage a fundamental shift in the way we think about educating and training a workforce prepared to address security issues in all phases of a software system.  Software assurance education and training touches on software engineering (including its many sub-disciplines), systems engineering, project management, and other disciplines (shown in chart Key SwA Knowledge Areas and Efforts, page 6). The goal is to fit the workforce with the ability to identify and acquire the competencies associated with secure software.  The primary audiences for this pocket guide are educators and trainers who can use this guide to identify resources to supplement their efforts as well as to identify strategies to inject software assurance related topics in the existing education and training programs.

The objective of software assurance is to ensure that the processes, procedures, and products used to produce and sustain the software conform to all specified requirements and standards. Software assurance in its broader sense refers to the assurance of any required property of software.  However, in the context of this pocket guide, software assurance is concerned with assuring the security of software.

Building secure software requires a workforce that understands the processes and technologies that provide the basis for belief that software will consistently exhibit all properties required to ensure that the software will operate as expected, despite the presence of faults introduced by a malicious adversary.  The Ware Report (1969) identified that:

“Probably the most serious risk in system software is incomplete design, in the sense that inadvertent loopholes exist in the protective barriers and have not been foreseen by the designers.”

Later the Anderson Report (1972) clearly established the technical problem to be solved as that of:

“…determining what constitutes an appropriate defense against malicious attack, and then developing hardware and software with the defensive mechanisms built in.”

Nearly forty years after, as we find ourselves in the midst of a highly interconnected cyber infrastructure, the need for a workforce with better skills to build security in cannot be emphasized enough.  The objective is to enable a workforce competent in managing, designing, implementing and evaluating systems that can enforce security policies and fulfill security expectations.  This workforce should be able to develop a well-reasoned and audit-able basis for believing that the software will function as expected, i.e. have justifiable arguments to questions such as:

How secure is your software?

What is it secure against?

How does it achieve its security goals?

This Pocket Guide presents a general map of the areas of knowledge to cover in order to build security into software.  The guide organizes the resources available for SwA outreach by avenue of approach:  student curricula, workforce improvement, injection of subject-area material into related disciplines, credentialing, awareness, and independent study.

RESOURCES

Willis Ware, Security Controls for Computer Systems (U): Report of Defense Science Board Task Force on Computer Security; Rand Report R609-1, The RAND Corporation, Santa Monica, CA, Feb. 1970.

James P. Anderson, Computer Security Technology Planning Study, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA 01731, Oct. 1972