U.S.Department of Homeland Security

Software Assurance

Getting Started in Software Assurance (SwA)

Recognizing that your software environment and program’s software supply chain has weaknesses that may be exploited by attackers as operational vulnerabilities is a major step in securing your software supply chain. However, this step pales in comparison to the enormity of securing the entire supply chain for your software. The key to improving your software assurance is to make incremental improvements in the security of the software in your supply chain. No single remedy will absolve or mitigate all of the weaknesses in your software, or the risk. Several methods, tools, and culture changes will be required in concert to build a secure supply chain to cover the known-unknown weaknesses. There is no crystal ball, or magic wand, you can use to ensure your software is absolutely secure against unknown weaknesses. However, you can take steps to reduce the risk and exposure of your software and users to new, or existing, software vulnerabilities. With this SwA on-ramp, you can learn how to

Staying Informed About SwA

The Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) Software Assurance (SwA) Program, in collaboration with organizations in the Department of Defense (DoD) and the National Institute for Standards and Technology (NIST) co-sponsor SwA Working Groups as part of the SwA Forum to bring together members of government, industry, and academia to discuss, develop, and implement software security practices, methodologies and technologies.  To support these efforts, DHS CS&C hosts the Build Security In website and this Software Assurance Community Resources and Information Clearinghouse website at which you can

Using Software Assurance Pocket Guide Series to Gain Key Understanding

The Software Assurance (SwA) Pocket Guides are a series of “getting started” resources, sponsored by the Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) Software Assurance Program, targeted at specific portions of the software assurance lifecycle. Learn about software assurance in acquisition and outsourcing, development, and throughout the lifecycle by downloading our free SwA Pocket Guide Series. These guides should be your next step in learning about software assurance. Currently, the pocket guides cover the following topics:

Engineering for Security in Software

The Common Weakness Enumeration (CWE™) is international in scope and free for public use; it provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design. Each CWE provides important mitigation practices for avoiding or preventing the introduction of exploitable software. This section of the CWE website introduces specific steps you can take to assess your individual software assurance situation and compose a tailored plan to strengthen your assurance of the integrity, reliability, and robustness of your software supply chain. Learn more by following the links below:

Using SwA Self-Assessments for Software Supply Chain Risk Management

The SwA Checklist identifies common elements of publicly available software assurance models. In order to facilitate understanding of how multiple models address assurance goals, members of the Processes and Practices Working Group created the SwA Checklist for Software Supply Chain Risk Management. The SwA Checklist provides a consolidated view of current software assurance goals and best practices in the context of an organized SwA initiative. The checklist includes mappings between the SwA Checklist practices and practices identified in existing SwA maturity models and related capability maturity models. This mapping provides a valuable reference for those wishing to improve their software assurance capabilities.

The checklist is an interactive Microsoft Excel spreadsheet that provides a cross-reference of goals and practices with side-by-side mappings to several publicly available models including the following models:

The SwA Checklist Mapped Maturity Models [pdf] provides brief descriptions of each maturity model mapped within the SwA Checklist. Organizations can use the SwA Checklist to learn more about current software assurance best practices and as a means of establishing an assurance baseline from which to show progress. Organizations can select the model components most applicable to their needs and use the mappings to identify a maturity path to improve their software assurance practices.