1 / 17

Software Assurance: An Overview of Current Industry Best Practices

Software Assurance: An Overview of Current Industry Best Practices. Randy Beavers CS 585 – Computer Security February 19, 2009. Software Assurance: An Overview of Current Industry Best Practices. Summary of Paper. Software underpins information infrastructure.

jason
Download Presentation

Software Assurance: An Overview of Current Industry Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Assurance: An Overview of Current Industry Best Practices Randy Beavers CS 585 – Computer Security February 19, 2009

  2. Software Assurance:An Overview of Current Industry Best Practices Summary of Paper • Software underpins information infrastructure. • Organizations widely and increasingly use COTS software. • Cyber attacks are becoming more stealthy and sophisticated, creating a complex environment.

  3. Software Assurance:An Overview of Current Industry Best Practices Summary of Paper (cont.) • Vendors have undertaken significant efforts to improve and protect software integrity. • Software Assurance critical to public safety and economic and national security. • Shows how SAFECode members approach software assurance, and how to use best practices for software development.

  4. Software Assurance:An Overview of Current Industry Best Practices About SAFECode • Software Assurance Forum for Excellence in Code. • A non-profit organization exclusively dedicate to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.

  5. Software Assurance:An Overview of Current Industry Best Practices Founded by: • EMC Corporation • Juniper Networks, Inc. • Microsoft Corporation • SAP AG • Symantec Corporation • Website: www.safecode.org

  6. Software Assurance:An Overview of Current Industry Best Practices The Challenge of Software Assurance and Security Software Assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intended while mitigating the risks of vulnerabilities, malicious code or defects that could bring harm to the end user.

  7. Software Assurance:An Overview of Current Industry Best Practices Software Assurance: • Vital to ensuring the security of critical information. • Information and communications technology vendors have responsibility to address assurance in every stage of application development. • Integrators, operators, and end users share responsibility for ensuring security of critical information systems.

  8. Software Assurance:An Overview of Current Industry Best Practices New Risks and Countermeasures • Software assurance risks faced by users today can be categorized in three areas: • 1. Accidental design or implementation errors. • 2. The changing technological environment. • 3. Malicious insiders.

  9. Software Assurance:An Overview of Current Industry Best Practices 1. Accidental Design or Implementation Errors • Inadvertently create faulty software design or implementation highlights risk area for: • Hackers • Viruses • Worms • Other malicious attacks • Developers address risks through: • Training. • Use of secure development practices and tools.

  10. Software Assurance:An Overview of Current Industry Best Practices 2. The Changing Technological Environment • Rapid change and innovation are characteristics of the IT industry. • Criminals can and do innovate also. They have created a complex and lucrative criminal economy. • The process is one of on-going improvement as new threats are created, and new countermeasures developed and implemented.

  11. Software Assurance:An Overview of Current Industry Best Practices 3. Malicious Insiders • Growing concern that global software development processes could be exploited by a rogue programmer or organized group of programmers. • There are proven best practices that companies use to manage their unique development infrastructure and business models.

  12. Software Assurance:An Overview of Current Industry Best Practices Industry Best Practices for Software Assurance and Security • Vendors have responsibility and business incentive to ensure product assurance and security. • Customers demand software be secure and reliable. • Vendors must protect brand names and company reputations.

  13. Software Assurance:An Overview of Current Industry Best Practices Industry Best Practices for Software Assurance and Security (cont.) • Software development varies by vendor and unique products, organizational structure, and customer requirements. • No single method that yields software assurance and security. • Regardless, there is a core of best practices for software assurance and security.

  14. Software Assurance:An Overview of Current Industry Best Practices Framework for Software Development • Several different development methodologies, but they all share the following common elements: • Concept. • Requirements. • Design and Documentation. • Programming. • Testing, Integration, and Internal Evaluation. • Release. • Maintenance, Sustaining Engineering, and Incident Response.

  15. Software Assurance:An Overview of Current Industry Best Practices Framework for Software Security Across SAFECode’s membership, security best practices and controls are well established:

  16. Software Assurance:An Overview of Current Industry Best Practices Related Roles for Integrators and End Users • INTEGRATORS. • Work in partnership with vendors to mitigate vulnerabilities. • OPERATORS. • Must deploy standard layered defense security measures. • END USERS. • Responsible software use a requirement for software assurance and security.

  17. Questions www.safecode.org

More Related