Software Assurance: An Overview Of Current Industry Best Practices
Software Assurance:An Overview ofCurrent Industry Best PracticesFebruary 2008
Executive SummarySoftware Assurance: An Overview of Current IndustryBest PracticesSoftware underpins the information infrastructure that governments, critical infrastructure providers and businesses worldwidedepend upon for daily operations and business processes. Theseorganizations widely and increasingly use commercial off-theshelf software (“COTS”) to automate processes with informationtechnology. At the same time, cyber attacks are becoming morestealthy and sophisticated, creating a complex and dynamic riskenvironment for IT-based operations that users are working tobetter understand and manage. As such, users have become increasingly concerned about the integrity, security and reliabilityof commercial software.To address these concerns and meet customer requirements,vendors have undertaken significant efforts to reduce vulnerabilities, improve resistance to attack and protect the integrityof the products they sell. These efforts are often referred to as“software assurance.” Software assurance is especially important for organizations critical to public safety and economic andnational security. These users require a high level of confidencethat commercial software is as secure as possible, somethingonly achieved when software is created using best practices forsecure software development.This white paper provides an overview of how SAFECode members approach software assurance, and how the use of bestpractices for software development helps to provide strongercontrols and integrity for commercial applications.
Table of ContentsThe Challenge of Software Assurance and Security 4Industry Best Practices for Software Assurance and Security 7 9Software Security Best Practices 12Related Roles of Integrators and End Users 16SAFECode’s Goals 18Conclusion 18Questions for Vendors about Product Assurance and Security 19About SAFECode 20Framework for Software Development
The Challenge of Software Assuranceand SecuritySoftware assurance encompasses the developmentand implementation of methods and processesfor ensuring that software functions as intended while mitigating the risks of vulnerabilities,malicious code or defects that could bring harmto the end user. Software assurance is vital toensuring the security of critical information technology resources. Information and communicationstechnology vendors have a responsibility to address assurance through every stage of application development.This paper will focus on the software assurance responsibilities of software vendors.SAFECode SoftwareHowever, integrators, operators and endAssurance Definition:users share some responsibility for enConfidence that software,suring the security of critical informationhardware and services aresystems. Because of the rapidly changingfree from intentional andnature of the threat environment, evenunintentional vulnerabilitiesan application with a high level of qualand that the softwareity assurance will not be impervious fromfunctions as intended.attack if improperly configured and maintained. Managing the threats we face today in cyberspace requires a layered system of security, withvendors building more secure software, integrators ensuringthat the software is installed correctly, operators maintainingthe system properly, and end users using the products in a safeand secure manner.4
New Risks and CountermeasuresThe dynamic threat environment createschallenges for all software-related operations. Vectors for attacks that could interruptor stop critical software functions must beconsidered in design and development. Thesoftware assurance risks faced by users today can be categorized in three areas:1. Accidental design or implementation errors that lead toexploitable code vulnerabilities2. The changing technologicalenvironment, which exposes newvulnerabilities and provides adversaries with new tools to exploit them3. Malicious insiders who seek todo harm to users or vendorsAccidental Design orImplementation ErrorsThe prevalence of hackers, viruses, wormsand other malicious software that attacksystems and networks highlights the firstrisk area when programmers inadvertentlycreate faulty software design or implementations. Developers address this risk throughdeveloper training and the use of securedevelopment practices and tools. Theseprocesses are discussed in depth in the nextsection of this paper.The Changing TechnologicalEnvironmentRapid change and innovation are two ofthe most enduring characteristics of the ITindustry. But innovation is not unique tovendors. Criminals can and do innovate. Inthe span of only a few years a complex andlucrative criminal economy capable of supporting specialized skill sets for identifyingand attacking software has developed.The development of this sophisticated criminal economy contributes to increasingly targeted and complex attacks. Vendors commitresources to understand emerging threatsand use state-of-the-art technologies, toolsand techniques to develop software, hardware and services that can resist attack. Theprocess is one of on-going improvement asnew vulnerabilities are exposed, new threatsare created and new countermeasures developed and implemented.5
Malicious InsidersFrom a development perspective, these conThere is a growing concern that globaltrols are focused more on “how it was made”software development processes could bethan “where they were sitting” during theexploited by a rogue programmer or an orcoding process.ganized group of programmers that wouldcompromise software, hardware or servicesduring the development process.Vendors are extremely protective of their “soft assets” suchEMC Corporationas their code base. The complexArchitecture: CommonA centralized Product Secudevelopment process and theSecurity Platform A setrity Office coordinates interof software, standards,related programs for strongseries of controls used to prospecifications and designs forsecurityassuranceatEMCtect the development processcommon software securityCorporation.provide powerful management,elements such as authenticaFoundation:Producttion, authorization, audit andpolicy and technical controls thatSecurity Policy Guidesaccountability, cryptographyreduce these risks. There is noproduct development teamsand key management usingand is a common referencestate-of-the art RSA technolsingle way to manage or controlfor product organizations toogy. An open interface allowsa development process. Ratherbenchmark product securityintegration with customers’there are proven best practicesagainst market expectationssecurity architectures.and industry best practices.that companies use to manageIncident Response: ProdMetrics score company-widetheir unique development infrauct Security Responseuse of the policy.Center Defines and enforcesstructure and business models.CASE STUDYSAFECode members implementprocesses for vetting employeesand contractors regardless oftheir country of residence. However, far more critical to software assurance is establishingand implementing processes andcontrols for checking and verifying software assurance irrespective of where it was produced.6Knowledge: SecurityTraining Role-based securityengineering curriculum trainsnew and existing engineerson job-specific security bestpractices and how to userelevant resources.Process: Security Development Lifecycle Overlays security on standarddevelopment processes forachieving a high degree ofcompliance with the abovereferenced Product SecurityPolicy.EMC’s vulnerability responsepolicy to minimize risk ofexposure to customers.External Validation: Security Certification EMC hasreceived extensive government and industry certifications in design, implementation and management of itssecurity processes and solutions – including CommonCriteria or FIPS 140-2.
Managing Risk Through Software Assurance Best PracticesThese risks can all be managed through theadoption of best practices in software assurance. While a number of international standards and certification regimes for softwareassurance have been issued, their effectiveness in achieving real-world reduction in vulnerabilities is debatable. Companies on theirown have been taking the lead in developingand implementing practices to produce secure code that are better tuned to real-worldsoftware development processes and resultin higher levels of security. SAFECode’s mission, in part, is to bring these practices together to share across the community.Industry Best Practices forSoftware Assurance and SecuritySoftware vendors have both a responsibility and business incentive to ensure productassurance and security. Customers demandthat software be secure and reliable. Vendors also must produce quality products toprotect and enhance brand names and company reputations. These pressures motivatevendors to minimize mistakes in coding,reduce the occurrences of post-sale vulnerabilities and related patching, and to protectsensitive data and the operational integrityof customer IT systems.Software development processes vary byvendor according to their unique productlines, organizational structures and customerrequirements. Not surprisingly, there is nosingle method for driving security and integrity into and across the globally distributedprocesses that yield technology productsand services. Yet regardless of the methodused, there is a core set of best practices forsoftware assurance and security that applyto diverse development environments.To understand how vendors are earning thetrust of customers, it is useful to examinebest practices employed by the software industry and how they contribute to enhancingproduct assurance and security.7
CASE STUDYSYMANTEC CORPORATIONSymantec’s product security framework, called Product Security LifeCycle (PSLC) shapes and governs thelifespan of products. It has nine steps:engagement and preparation, education and training, security goals andplanning, risk assessment, adoptionof best practices, building automatedroutine verifications, security testing,security readiness review and securityresponse.Implementation of the PSLC includesa series of extensive training classesabout security awareness, securedevelopment and security testing formembers of the development and quality assurance teams. This knowledge isapplied with state-of-the-art tools foreffective and secure source code configuration management, product build,source code analysis, product test anddefect remediation. Engineers routinelycompile and check code modules andthe entire system. Security testing isperformed by quality assurance teamsand a product security team.8Third-party components and opensource software used in this company’sproducts are subjected to additionalrequirements: Teams check all code for vulnerabilities using standard methodologies and tools; Providers are required to allow access to source code and/or that itsvendor scan the code for commonvulnerabilities; Teams have a documented, contractual service level agreementfor security patches; Third-party code is implemented ina way that facilitates independentpatching.These efforts have earned leadershipfor this vendor in the certificationscommunity. Many of its products arecertified by Common Criteria, FIPS140-2, ICSA Labs and Checkmark;manufacturing and distribution siteshave ISO 9001 certifications.
Framework for Software DevelopmentWhile there are several different development methodologies, they all share the following common elements:explicit, detailed description of productfunctionality. The level of detail in thisphase will adequately enable productionof near-final drafts of documentation tocoincide with final release of the product.Concept The initial phase of every softwaredevelopment lifecycle is to define whatthe software is supposed to do, how us- Programming This phase is where programmers translate the design anders will interact with the product, andspecification into actual code. Effectivehow it will relate to other products withincoding requires implementers to enforcethe IT infrastructure. This is when prodconsistent coding practices and stanuct development managers assemble thedards throughout all aspects of producteam to develop the product.ing the application. Best practices forRequirements This phase translates thecoding ensure that all programmers willconceptual aspect of a product into a setimplement similar functions in a similarof measurable, observable and testablemanner. Programmers require approprirequirements. Developers phrase theseate training to ensure implementation ofrequirements as “the product shall ”these standards.and specify exactly what functions willbe provided, including related degrees Testing, Integration and InternalEvaluation This function verifies andof reliability, availability, maintainabilityvalidates coding at each stage of the deand interoperability. It is crucial for thevelopment process. It ensures that therequirements phase to explicitly defineconcept is complete, that requirementsfunctionality as this will affect subsequentarewell-specified, measurable, and thatprogramming, testing and managementtest plans and documentation are comresources expended in the developmentprehensive and consistently applied toprocess.all modules, subsystems, and integratedDesign and Documentation Efficient prowith the final product. Verification andgramming requires systematic specificavalidation occurs at each stage of detions of each requirement for a softwarevelopment to ensure consistency of theapplication. This phase is more than anapplication. Complex projects require9
testing and validation methodologiesthat anticipate potentially far-fetchedcircumstances. That testing simulatesthe kind of duress that an attackermight apply to break an application.Release This phase makes the applicationavailable for general use by customers. Before releasing the application,a software provider must ensure thatthe application meets product criteria,identify delivery channels, train thesales organization to match targetbuyers with the product’s functionality, and fulfill orders. The application’s vendor support team must beable to respond to customer queriesat production volumes worldwide.Maintenance, Sustaining Engineering and Incident Response Theseprocesses support released products.Applications must be updated with bugfixes, user interface enhancements, orother modifications meant to improvethe usability and performance of theproduct. Defects fixed in this phaseof the product lifecycle are mergedinto the subsequent version of code,and analysis is conducted to mitigatethe possibility of their recurrence infuture versions or other products.10CASE STUDYJuniper NetworksJuniper Networks implements a TL9000 certified process for managingproduct development. This process isaudited regularly and protects the integrity of our products while providing accountability and predictability.Projects are managed from concept to end of life (EOL) via a 7phase process that includes: Concept and FeasibilityPlan and SpecificationsDesign, Implementation and PrototypeSystem TestBeta Test and Pilot BuildProductionEnd of LifeConcept and FeasibilityRequirements are defined, tracked,and managed via a database in thisphase of the process. If the requirement originated from a customer, thenthe customer must approve the requirements document to ensure the designis what the customer really wanted.Plan and SpecificationsThe development and delivery schedule is identified in this phase. The engineering team is defined, includingsoftware engineering, a scoping teamleader, and a product manager. A manufacturing plan, as well as a diagnostic test plan is defined in this phase.Continued.
CASE STUDYJuniper NetworksContinued from page 10Design, Implementation and PrototypeA software manager is assigned at this pointand a scoping team leader manages the teamthat documents the functional design specification and the system test plan. A releasetarget is identified and a software engineeris assigned. Code reviews are conducted inthis phase and a member of Juniper’s security research team is included in the process. External auditors may be engaged atthis point as necessary for certification processes such as FIPS or Common Criteria.All source code is derived from a single trainof code, checked in and out of the mainline viaa source code management system (SCM) totrack changes, and any changes made mustbe documented and peer reviewed. Juniperutilizes a company-wide bug tracking system that is integrated with our SCM, and allbugs are assigned a bug tracking number.System TestHardware and software unit testing is performed and the reports are reviewed in thisphase. Products are evaluated by an internal team made up of system test, softwareengineering, the software manager, hardware engineering, and technical publications.Code reviews and code scanning tools areemployed to minimize mistakes and vulnerabilities. If penetration testing is appropriateit is conducted at this point. Beta plans aredefined, and training plans are then created. Prototypes are built during this phase.Beta Test and Pilot BuildAfter a successful internal system test, theproduct moves into beta testing. Any applicable regulatory testing is performed. Anysoftware changes are coded, documented,reviewed, and checked into the main line ofcode via the SCM tool. The logistics sparingplan, the training plan, and all documentation are completed during this stage.ProductionThe product is reviewed again by the teambefore being committed to a specific release of software. After internal system testand beta testing are successful, the product enters regression testing before beingmade available for release. Common Criteriaand/or FIPS verification testing is scheduled at this point if appropriate. End-of-lifetimeframe for the product is predicted.Product bugs or vulnerabilities during production are reported, assigned a number, andtracked in a bug tracking system. Resultingcode changes are tracked within SCM, thesame as initial code design. The code changesare again peer reviewed and code scanningmay be employed if appropriate. After verification of code, the product is regression testedand scheduled into a maintenance release.End of LifeThe product end of life is formally announced and the notice is posted toour customer service website.11
Software Security Best PracticesIn each stage of the software developmentlifecycle defined above, there are best practices for instilling security in a software application. Across SAFECode’s membership,the following security best practices andcontrols are well established:Security Training A prerequisite todeveloping secure software is for thedevelopment team to be well-versedin information security – includingsecurity and privacy issues that mayaffect people who use the product.Some vendors use external trainersto deliver security training to theirproduct developers. Other vendorshave established in-house trainers andonline educational content to customizethe training to their specific technologies and applications. Training topicsinclude a wide range of issues such ashow to do threat modeling, role-basedsecurity engineering, avoiding unsafelibrary function calls and preventingcross-site scripting errors. Trainersleverage the available published materials from industry and academia.Defining Security Requirements Security requirements must be definedduring the early stages of product development, especially the requirements12definition stage. Security requirementsmust go in tandem with product development and therefore address architecture and design, product developmentand programming best practices, andrequirements for assurance, testing andserviceability. Security requirements setat the outset of a product developmentcycle may include specific security metrics and goals for each major phase ofdevelopment. Some teams measure theeffectiveness of design security reviewsor code audits as well as security testing goals. These requirements are setat the beginning of the project and thenchecked during the development cycle.Quality Assurance teams will set theirsecurity testing goals during this phase.Secure Design The early design phasemust identify and address potentialthreats to the application and waysto reduce the associated risks to anegligible level. These objectives maybe accomplished with threat modelingand mitigation planning, which includesanalyzing the system, and potentialvulnerabilities and attack vectors froman adversary’s perspective. Somevendors formalize their attack vector analysis through threat modeling.Security experts can be brought in to
help facilitate this process of identifying potential threats and developingdesigns that mitigate those threats.Secure Coding The product development team must implement secureprogramming practices. This is whereprogrammers exercise the securecoding skills they learned duringtheir training. These require inspection of an application’s source codeto identify vulnerabilities induced bycoding errors, and implement secureprogramming practices that reducethe frequency and severity of thoseerrors. Examples of secure codingpractices include source code reviewusing a combination of manual analysisand/or automated analysis tools foridentifying potential security defects.Secure Source Code Handling Securitybest practices include careful handling of source code, including tightchange management and trackingand confidentiality protection of codesuch that only authorized personsare permitted to view or modify itscontents in order to prevent maliciousinsiders from introducing vulnerabilities. Systems that process or handlesource code must be protected fromunauthorized access inside or outsidethe developing company, and fromintentional or unintentional unauthorized modification. Design and codereviews are also conducted as a way ofpreventing malicious insertion of code.Security Testing Security testing isspecialized validation that ensuresthat the security requirements weremet and the secure design and codingguidelines were followed. Testing mayinclude vulnerability analysis, penetration testing, or use of security testingtechniques such as “fuzzing” or varyingexternal inputs to identify potentialbuffer overflows and other errors. Somevendors not only do internal testing, butalso submit their products to externaltesting or certification. Penetrationtesting by independent teams canuncover vulnerabilities that would notbe detectable using other means.Security Documentation Softwareproduct documentation must includeexplicit treatment of security issues tohelp customers understand how to optimally configure security controls, andhow configuration options may or maynot expose potential security vulnerabilities. Examples include creatinga Security Configuration Guide as astandard part of product documentation.13
Security Readiness Just before releasing a product, the application developermust evaluate, document and assessrisks posed by potential security gapsin the product. This risk management best practice enables a productdevelopment organization to evaluate the security posture of a productand whether it is safe to proceed withits release to general availability. Forsome vendors, this phase is where afinal check is done to ensure that allof the security requirements set in therequirements phase have been met.Security Response Any security vulnerabilities (exploited or not) reportedagainst the deployed product arehandled through incident responseand relayed to the product development or sustaining teams to mitigatethe vulnerability. Communication withthe discoverers and the customers isimportant to ensure that proper actions are taken to mitigate the risk.In some cases, this may mean thevendor will issue a patch to the product. Some vendors have developedtechnologies that enable customers toreceive security patches automaticallyto minimize their exposure to risks.14Integrity Verification Some productsoffer customers methods such as signedcode for verifying that the softwarethey have acquired is indeed fromtheir trusted vendor. Using public keytechnology to sign code is an exampleof enabling integrity verification. Somesoftware companies also build in integrity checks on an on-going basis toassure that the components in the solution are indeed bona-fide components.Security Research Developers learnto adapt new technologies to provide greater customer capability andvalue. Along with this investigationcomes research into new threat vectors and mechanisms to mitigatethem. Similarly, as new attack vectors against existing technologiesbecome known, developers implementmechanisms to defend against them.Security Evangelism Leaders in thearea of software assurance promotethe use of best practices by discussing their practices and findings inopen forums, articles, papers andbooks. SAFECode is a central forumfor promoting the use of best practices to those who need guidance.
CASE STUDYSAPAt SAP, the software development process isgoverned by an overall process frameworkcalled “Product Innovation Lifecycle” (PIL). PILconsists of process standards which describethe different development phases such as invention, product definition, development, andtesting up to continuous improvement, as wellas product standards which cover cross-product aspects like accessibility, total cost of ownership, legal requirements, or globalization.Security is a product standard within PIL. Thestandard has evolved from a number of sources, including SAP development experience,know-how contributed by renowned securityspecialists, market trends, customer feedback,legal requirements, SAP strategy, and researchfindings. It consists of a security planningframework with best practices for addressing common security issues, and a securityreport that reflects the status of the implementations defined in the security plan afterdevelopment. In addition, it includes test casedescriptions for a number of requirements.The security standard represents the core ofsecure software delivery at SAP. It is complemented by security training for developers andtesters, in-house security tests, white-boxand black-box security hacking by externalpartners on selected top-priority components, as well as a global product securityreporting framework that allows it to trackthe performance of different product groupsregarding software security. Most SAP applications are based on a secure framework(SAP NetWeaver) with standardized securityfeatures, freeing application developers fromsecurity development tasks. Security coachingis also available for application developers.The fact that SAP knows every single oneof its customers allows for a highly efficientsecurity management. Security issues canbe communicated privately to customers via“Hot News”, eliminating the need for public announcements. However, the researchcommunity has been showing a growinginterest in SAP software. To provide firsthand information and create transparency,SAP maintains security forums and publishesnewsletters. Customers and researcherscan also contact the SAP Security ResponseTeam directly via security@sap.com.In addition, the SAP Security OptimizationService can be used to check a customer’ssecurity status, and a staff of highly-qualifiedsecurity consultants is available for remoteor on-site support in security questions.15
Related Roles of Integrators and End UsersThe best practices described above are aimed squarely at software vendors and their global supply chain of developers. Software assurance,however, does not end with the vendor. It is a continuous process. Thebroader ecosystem of software integrators, operators and end userswho buy and deploy the applications all contribute to the overall assurance of a product or a system.16 Integrators: As applications are scaled to very large environmentsand integrated with other products and legacy systems, new vulnerabilities that did not exist in the stand-alone product may be introduced. Integrators must work in partnership with software vendorsto find and mitigate these vulnerabilities. Operators: Operators must ensure that systems remain properlyconfigured. Automated patching should be enabled to speed theremediation of vulnerabilities. Operators must also deploy standardlayered defense measures for security, such as firewalls, antivirus,anti-malware, anti-phishing, intrusion detection and prevention,virtual private networks, strong authentication and identity management. End users: End users must take the responsibility to report potential bugs or vulnerabilities and must not introduce software fromuntrusted sources into systems. Responsible use of software is animportant ongoing requirement for assurance and security.
CASE STUDY Verification: As the product entersbeta testing, the security team conducts additional testing at a deeperlevel than during the Implementationphase. In-house penetration testingresources are often supplemented byexternal design review and penetration testing contractors. Attack surfaceanalysis and fuzz-testing is performedduring verification. Release: At this point, an assessmentis made of the overall SDL adherenceby looking at security test results, defenses, mitigations, tools use and status of bug resolution. Finally, securityresponse plans are put in place. Support and Servicing: A centralsecurity response team handles externally reported vulnerabilities. Thecentral security team works closelywith the security response team anduses information about newly reportedvulnerabilities to update tools, education materials, coding standards, andpotentially the security developmentprocess to minimize vulnerabilities infuture product versions.MICROSOFT CORPORATIONMicrosoft supplemented its existing software development framework with securityand privacy requirements with dual goalsof reducing vulnerabilities
"software assurance." Software assurance is especially impor-tant for organizations critical to public safety and economic and national security. These users require a high level of confidence that commercial software is as secure as possible, something only achieved when software is created using best practices for secure software development.
Software Quality Assurance Plan (SQAP) for the SRR-CWDA-2010-00080 H-Area Tank Farm (HTF) Performance Revision 0 Assessment (PA) Probabilistic Model August 2010 Page 5 of 15 1.0 SCOPE This Software Quality Assurance Plan (SQAP) was developed in accordance with the 1Q Quality Assurance Manual, Quality Assurance Procedure (QAP) 20-1, Rev. 11.
Software Quality Assurance CMM Goals Goal 1 Software quality assurance activities are planned. Goal 2 Adherence of software products and activities to the applicable standards, procedures, and requirements is verified objectively. Goal 3 Affected groups and individuals are informed of software quality assurance activities and results.
Auditing and Assurance Services Week 2 1. ASSURANCE What is assurance and what are the different types and levels of assurance? Five elements: Three-parties relationships, subject matter, suitable criteria, sufficient appropriate evidence, written assurance report T
critical issues the University has established a Quality Assurance Directorate, which is mandated to develop a Quality Assurance Framework and a Quality Assurance Policy. The Quality Assurance Framework would clearly spell out the Principles, Guidelines and Procedures for implementing institutional quality assurance processes.
2. Develop and maintain a Software Assurance Plan following the content defined in NASA-HDBK-2203 for a software assurance plan, including software safety. 3.1.4 024 The project manager shall track the actual results and performance of software activities against the software plans. a. Corrective actions are taken, recorded, and managed to .
Quality assurance or software quality assurance is an integral part of the development process and is used in the IT industry by quality assurance professionals as well as testers. Quality assurance is associated with the concept of dependability. Dependability is, first, a guarantee of increased cybersecurity, reliability and
Time Systems Sagar Chaki, Dionisio de Niz, Mark Klein. 2 Engineering High-Assurance DART Software . Create a sound engineering approach for producing high-assurance software for Distributed Adaptive Real-Time (DART) . (SMC) Example: Self-Adaptive and Coordinated UAS Protection. 6 Engineering High-Assurance DART Software
Unit 14: Advanced Management Accounting Unit code Y/508/0537 Unit level 5 Credit value 15 Introduction The overall aim of this unit is to develop students’ understanding of management accounting. The focus of this unit is on critiquing management accounting techniques and using management accounting to evaluate company performance. Students will explore how the decisions taken through the .
