Welcome to this special Software Assurance (SwA) edition of the Journal of Cyber Security & Information Systems, published by the Cyber Security & Information Systems Information Analysis Center (CSIAC).
Software is ubiquitous. It is at the core of every deployed critical system in the DoD (and our society for that matter). As our systems become more complex and the software that supports these systems explodes in size, our adversaries are presented with an ever increasing attack surface which they have repeatedly demonstrated the capability to exploit. The need to gain confidence that this software is free from exploitable vulnerabilities and malicious behavior has never been more important. Gaining confidence — that is “assurance” — in software is more than simply testing the software to show correct functionality or running tools against the code to identify known flaws; it requires an acquisition and development discipline augmented with technology, supported by sound policy, measurement practices, and deployment processes that achieve the necessary confidence our systems are fit to protect our country’s most valuable assets.
Although it is easy to acknowledge that “assured software” is a critical national priority, we still do not hold strong examples of truly securely designed, implemented and deployed assured software. To date, the DoD has not demonstrated a full understanding of the shape of the field that underlies the process of producing, sustaining and acquiring secure software. Decision makers often have trouble “connecting the dots” among the detailed, disparate data available from interactively complex systems. As a result, they can find it difficult to understand a system’s macro-level behavior and the risks that their deployed software faces. Over the past 20 years, the rules of the game have changed — building software without accounting for security is no longer an acceptable risk.
This edition explores different aspects of developing, deploying and training on how to build assured software. Articles are contributed by software assurance practitioners from the DoD and civil government that are devoted to the advancement of secure development principles in U.S government critical systems. We hope that you can get a flavor of some of the exciting things happening in this space, identify some principles that will increase your software assurance posture and find opportunities to connect with key players in the community to support your assured software development/acquisition process.