Software Assurance Pocket Guide Series

Software Assurance in Acquisition and Contract Language
Acquisition and Outsourcing, Volume I – (Version 1.2, May 18, 2012)
Integrating software security in the acquisition life cycle promotes the acquisition of secure software. This volume of the pocket guide includes sample SwA Request for Proposal (RFP)/Contract language. Buyers and evaluators of software and suppliers can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.

8.5" x 11" version PDF File

Software Supply Chain Risk Management and Due Diligence
Acquisition and Outsourcing, Volume II – (Version 1.2, June 16, 2009)
Software security enhanced due-diligence is a critical element of software supply chain risk management. The focus of the volume is to increase awareness for the need to include software assurance and identify best practices in the acquisition of software. Due-diligence involves taking reasonable steps to ensure that software or a software-intensive system not only meets functional and technical requirements, but also addresses software assurance concerns. Buyers and evaluators of software and services can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.

8.5" x 11" version PDF File

Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses
Development, Volume II – (Version 2.3, November 1, 2012)
This pocket guide focuses on key practices for preventing and mitigating the most egregious exploitable software weaknesses. These key practices were documented in the "2011 CWE/SANS Top 25 Most Dangerous Programming Errors." The Top 25 CWEs are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. Some of the practices specified in this pocket guide are derived from mitigation recommendations that were common across many of the CWEs in the CWE Top 25, and others came from approaches described on the CERT Secure Coding Wiki. The practices are not represented as being complete or comprehensive, yet they do provide a focus for getting started in SwA efforts.

8.5" x 11" version PDF File

Software Security Testing
Development, Volume III – (Version 1.0, May 21, 2012)
Software security testing validates the secure implementation of a product thus reducing the likelihood of security flaws being released and discovered by customers or malicious users. The goal is not to "test in security," but to validate the robustness and security of the software products prior to making them available to customers and to prevent security vulnerabilities from ever entering the software. This volume of the pocket guide describes the most effective security testing techniques, their strengths and weaknesses, and when to apply them during the Software Development Life Cycle.

8.5" x 11" version PDF File

Requirements Analysis for Secure Software
Development, Volume IV – (Version 2.1, May 18, 2012)
Comprehensive requirements are critical for successful system development, but all too often, requirements fail to explicitly consider security. As a result, systems meet the functionality but are rarely safe and consequently are the target of attacks. Systems which carefully document security requirements reduce the likelihood of successful attacks. Security requirements include functions that implement a security policy such as areas of access control, identification, authentication and authorization, and other functions that perform encryption, decryption, and key management. This volume of the pocket guide describes the steps and knowledge required to establish the requirements and specifications for secure software and when to apply them during the Software Development Life Cycle.

8.5" x 11" version PDF File

Architecture and Design Considerations for Secure Software
Development, Volume V – (Version 2.0, May 18, 2012)
The Guide to the Software Engineering Body of Knowledge (SWEBOK) defines the design phase as both "the process of defining the architecture, components, interfaces, and other characteristics of a system or component" and "the result of [that] process." The software design phase is the software engineering life cycle activity where software requirements are analyzed in order to produce a description of the software’s internal structure that will serve as the basis for its implementation. The software design phase consists of the architectural design and detailed design activities. These activities follow software requirements analysis phase and precedes the software implementation the Software Development Life Cycle (SDLC). This volume of the pocket guide compiles architecture and design software techniques for security and offers guidance on when they should be employed during the SDLC.

8.5" x 11" version PDF File

Secure Coding
Development, Volume VI – (Version 2.0, May 18, 2012)
Secure coding is a prerequisite for producing robustly secure software. The development of secure software is a complex endeavor and requires a systematic process. The most commonly exploited vulnerabilities are seemingly easily avoided defects in software. Producing secure code is not an absolute science because it depends on a wide range of variables, some of which cannot be easily or accurately measured. Such variables range from the language or platform being used to the nature of the software being developed or the data with which the software is meant to work. This guide does not prescribe answers for all possible situations. Rather, it discusses fundamental practices for secure coding, and lists resources that provide more information about these practices. Using these resources, practitioners can write more secure code for their particular environment.

8.5" x 11" version PDF File

Software Assurance in Education, Training & Certification
Life Cycle Support, Volume I – (Version 2.2, March 16, 2011)
Current events related to cybersecurity encourage a fundamental shift in the way we think about educating and training a workforce prepared to address security issues in all phases of a software system. Software assurance education and training is aimed to ensure adequate coverage of requisite knowledge areas in contributing disciplines such as software engineering (including its many subdisciplines), systems engineering, project management, etc., to identify and acquire competencies associated with secure software. The primary audiences for this pocket guide are educators and trainers who can use this guide to identify resources to supplement their efforts as well as identify strategies to inject software assurance related topics in the existing education and training programs.

8.5" x 11" version PDF File

The Software Assurance in Education, Training & Certification Web Guide is a blog-style reproduction of the existing Software Assurance in Education, Training & Certification Pocket Guide. The web guide format allows web-based navigation among topics and provides the latest workforce education and training updates through an RSS feed.

• Integrating Security in the Software Development Life Cycle
• Security Considerations for Technologies, Methodologies & Languages
• Secure Software Distribution, Deployment, & Operations
• Code Transparency & Software Labels
• Assurance Case Management
• Assurance Process Improvement & Benchmarking
• Secure Software Environment & Assurance Ecosystem
• Penetration Testing throughout the Life Cycle
• Making Software Security Measurable
• Practical Measurement Framework for SwA & InfoSec
• SwA Business Case & Return on Investment