Software Assurance (SwA) Communities
SwA Forum and Working Groups (WGs)
Receive Announcements from the SwA Community
Stay informed about upcoming SwA events and receive the latest on the SwA Forum and WG Sessions by subscribing to the SwA e-mail list server. If you wish to unsubscribe, please use this link to unsubscribe. Please send these messages in plain text.
Join a SwA WG
The Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) SwA Program, in collaboration with organizations in the Department of Defense (DoD) and the National Institute for Standards and Technology (NIST) co-sponsor SwA WGs as part of the SwA Forum to bring together members of government, industry, and academia to discuss, develop, and implement software security practices, methodologies and technologies. Information about SwA WG activities can be found on the applicable web page for each group (see tabs at the left for the respective SwA WGs). To join a WG, send an e-mail to software.assurance[at]dhs.gov.
Join the SwA Mega-Community on LinkedIn
Professionals can stay connected with those with interests in software security, quality, and resiliency and can remain updated on relevant activities, publications, and articles on SwA by joining the SwA Mega-Community on LinkedIn--also consider joining the SwA Education community on LinkedIn.
The following collaborate within the SwA Community:
- United Kingdom’s Software Security, Dependability and Resilience Initiative (SSDRI)
- The International Council of E-Commerce Consultants (EC-Council)
- Security and Software Engineering Research Center (S2ERC)
- The Open Web Application Security Project (OWASP)
- Software Assurance Forum for Excellence in Code (SAFECode)
- CERT
- The United States Computer Emergency Readiness Team (US-CERT)
- The Object Management Group (OMG™) Systems Assurance Task Force (SysA PTF)
- The Software Assurance Consortium (SwAC)
- The NIST SAMATE (Software Assurance Metrics And Tool Evaluation) project
- The SANS Software Security Institute (SSI)
- International Information Systems Security Certification Consortium, Inc., (ISC)²®
- ISACA
- Consortium for IT Software Quality (CISQ)
- The QAI Global Institute
- The Open Group
- Rugged Software
- The Financial Services Technology Consortium (FSTC)
- The Data & Analysis Center for Software (DACS)
- The Information Assurance Technology Analysis Center (IATAC)
- The Information Systems Security Association (ISSA)®
- Making Security Measurable
- The Defense Acquisition University
- U.S. Department of Homeland Security (DHS) Software Assurance Program
- Open Source Software Institute (OSSI)
-
United Kingdom’s Software Security, Dependability and Resilience Initiative (SSDRI) is the UK's Coordination, Support and Innovation Activity for Making Software Better; it is a not-for-profit public-private partnership with stakeholders representing all sections of the UK economy. It is based in the Cyber Security Centre (CSC) of De Montfort University (DMU) with a Steering Committee, currently chaired by Cranfield University, providing overall governance of activity, consisting of this cross-section of stakeholder members: [1] the Demand-side, in both the public sector (central government departments and specialist agencies) and private sector (representatives from the Energy and Finance sectors); [2] the Supply-side (software developers both small and large); and [3] those producing the Corpus of knowledge (academic, research bodies, and the professions in the form of the BCS and IET).
Top
- The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and information security skills. It is the owner and developer of the Certified Ethical Hacker (C|EH), Computer Hacking Forensics Investigator (C|HFI), and EC-Council Certified Security Analyst (E|CSA)/License Penetration Tester (L|PT) programs, and various others offered in over 60 countries around the globe. EC-Council is the creator of the Hacker Halted conference and workshop series and has established the EC-Council University based in New Mexico, which offers both bachelor's and master's degree programs.
Top
- Security and Software Engineering Research Center (S2ERC) conducts a program of applied and basic research on software security, system security, and software technology problems of interest to its members. The goal of this research is to enable security and software technology gains within member organizations.
Top
- The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. OWASP’s mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of their materials are available under a free and open software license. OWASP provides community collaboration through numerous projects. An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories: PROTECT - to guard against security-related design and implementation flaws; DETECT - to find security-related design and implementation flaws; and LIFE CYCLE - to add security-related activities into the Software Development Life Cycle (SDLC).
Top
- Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. They have also published a number of free resources on software security that can be found at http://www.safecode.org/publications.php
Top
- CERT is tackling the challenge of correcting defects before the software ships in a number of ways. Research in underway in Cyber Security Engineering to address security measurement, security for the supply chain, and security quality requirements engineering (SQUARE). In addition, its secure coding initiative seeks to identify programming errors most likely to cause security breaches and develop practices for avoiding them. Their work on vulnerability analysis strives to identify and reduce vulnerabilities in software that is being developed and software that is already deployed. CERT's work on Function Extraction (FX), a new, theory-based technology for automated calculation of the functional behavior of software, is leading toward a better understanding of program behavior. This understanding is essential for discovering errors and vulnerabilities, and also for improving software specification, architecture, design, implementation, and the development processes that produce them.
Top
- The United States Computer Emergency Readiness Team (US-CERT) US-CERT is the operational arm of the NCSD at DHS. US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners. Through its National Cyber Alert System, US-CERT allows anyone to submit a vulnerability and provides vulnerability advisories for users of various skill levels.
Top
- The Object Management Group (OMG™) Systems Assurance Task Force (SysA PTF) The goal of OMG’s SysA PTF is to work within the OMG and other industry groups to adapt and extend OMG technologies that apply across domains to enhance System Assurance. They also hope to establish a common framework for analysis and exchange of information related to system assurance and trustworthiness. Lastly the SysA PTF looks to promote System, Software, and Information Assurance in OMG product interoperability mechanisms. All of their specifications may be downloaded without charge from their website.
Top
- The Software Assurance Consortium (SwAC) brings together representatives of organizations (including government agencies, other software end-users, and vendors) that have increased risk exposure attributable to exploitable software that they acquire from others. Members of SwAC have the opportunity to formally drive SwA initiatives forward for their organizations or for themselves. SwAC also provides its members the means to evaluate and differentiate between software products based on measures of trustworthiness.
Top
- The NIST SAMATE (Software Assurance Metrics And Tool Evaluation) project is dedicated to improving SwA by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web application scanners, and source code security analyzers to correct-by-construction methods. Some particular efforts are a public reference dataset of example source code and an annual Static Analysis Tool Exposition (SATE).
Top
- The SANS Software Security Institute (SSI) brings computer security training to developers, programmers, and application security professionals. They offer training for web application security and hacking defense, secure coding, software security testing, code review, PCI compliance, and language specific training for Java/JEE, .NET, C, and others. They also offer the Programmer/Developer Certification (GSSP) through their GIAC affiliate. They are also a source of free resources such as the Top 25 Most Dangerous Programming Errors.
Top
- International Information Systems Security Certification Consortium, Inc., (ISC)²® (ISC)2 (pronounced "ISC-squared"), is a non-profit organization that educates and certifies information security professionals throughout their careers. The most widely known certification offered by the organization is the Certified Information Systems Security Professional (CISSP). The Certified Secure Software Lifecycle Professional (CSSLP) Certification Program shows software lifecycle stakeholders how to implement security and how to glean security requirements, design, architect, test, and deploy secure software. Attendees of the Software Assurance Forums and Working Group Sessions can receive "Continuing Professional Education” (CPE) credits.
Top
- ISACA is an international professional association that deals with IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. Their website contains articles regarding secure software development and testing. Attendees of the Software Assurance Forums and Working Group Sessions can receive "Continuing Professional Education” (CPE) credits for many ISACA certifications.
Top
- Consortium for IT Software Quality (CISQ) is an IT industry leadership group comprised of IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to introduce a computable metrics standard for measuring software quality and size. Work products from CISQ are created in the five technical working groups, Size, Maintainability, Reliability and Performance, Security, and Best Practices for Metric Use. The Security technical working group looks to “Measure elements affecting vulnerability to attack and loss.”
Top
- The QAI Global Institute, formerly known as the Quality Assurance Institute, deals with a wide variety of industries and provides "one–stop–shop" accessibility to a wealth of concepts and skills building and reinforcement through consulting, training, assessments, benchmarking, certification, conferences, and e–Learning in addition to supporting practitioners by facilitating corporate and individual membership programs.
Top
- The Open Group is a vendor-and technology-neutral consortium, whose vision of Boundaryless Information Flow™ will enable access to integrated information within and between enterprises based on open standards and global interoperability. The Open Group works with customers, suppliers, consortia and other standards bodies to capture, understand and address current and emerging requirements, establish policies, and share best practices. These efforts help the organizations the Open Group works with facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies. The Open Group also hopes to offer a comprehensive set of services and certifications.
Top
- Rugged Software is an effort to invigorate developers’ interest in producing secure or “Rugged” software. To learn more, see their presentation here, or see their Google Group here.
Top
- The Security Consortium is a leading provider of security test, research, design, and counsel services. They have data sheets, case studies, and white papers regarding SwA that are available by request from their website.
Top
- The Financial Services Technology Consortium (FSTC) sponsors noncompetitive collaborative research and development of interbank technical projects affecting the entire financial services industry. They have established the FSTC Software Assurance Initiative (SAI) to address application-related issues and benefit from collaboration with BITS, FSSCC, INFOSEC, and other industry associations. The SAI will help participants address challenges in four areas: secure architecture design principles, application-related security metrics, risk-based security investment approach, and software testing and evaluation.
Top
- The Data & Analysis Center for Software (DACS) is a Department of Defense (DoD) Information Analysis Center (IAC). The DACS has been designated as the DoD Software Information Clearinghouse serving as an authoritative source for state-of-the-art software information providing technical support for the software community. The DACS offers links to SwA resources including Enhancing the Development Life Cycle to Produce Secure Software Version 2.0.
Top
- The Information Assurance Technology Analysis Center (IATAC) is a U.S. Department of Defense Information Analysis Center (IAC) established under the direction of the Defense Technical Information Center (DTIC) and the integrated sponsorship of the Assistant to Secretary of Defense/Networks and Information Integration (ASD/NII); the Joint Staff; and the Director of Defense Research and Engineering (DDR&E), whose missions direct the DoD's responses, developments, and operations regarding IA. IATAC's mission is to provide the DoD a central point of access for information on Information Assurance emerging technologies in system vulnerabilities, research and development, models, and analysis to support the development and implementation of effective defense against Information Warfare attacks. See IATAC's State of the Art Report on Software Security Assurance.
Top
- The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skills, and professional growth of its members. The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries, such as communications, education, healthcare, manufacturing, financial, and government.
Top
- Making Security Measurable represents a community collaboration effort focused on a set of information assurance standards and related initiatives developed by the MITRE Corporation in collaboration with government, industry, and academic stakeholders. The Common Weakness Enumeration (CWE)™ is international in scope and free for public use. It provides a unified, measurable set of software weaknesses that enables more effective discussion, description, selection, and use of software security tools and services to find weaknesses in source code and operational systems. It also provides a better understanding and ability to manage software weaknesses related to architecture and design. To assist in enhancing security throughout the software development lifecycle, and to support the needs of developers, testers and educators, the Common Attack Pattern Enumeration and Classification (CAPEC)™ is sponsored by the Department of Homeland Security as part of the Software Assurance strategic initiative of the National Cyber Security Division. The objective of this effort is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy. Malware Attribute Enumeration and Characterization (MAEC)™ is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
Top
- The Defense Acquisition University touches nearly every member of the Defense Acquisition Workforce throughout all career stages. The university provides a full range of basic, intermediate, and advanced certification training, assignment-specific training, applied research, and continuous learning opportunities. The university also fosters professional development through mission assistance, rapid-deployment training on emerging acquisition initiatives, online knowledge-sharing tools, and continuous learning modules.
Top
- The Open Source Software Institute (OSSI) is a membership-based, non-profit 501(c)(6) organization comprised of corporate, government, academic and open source development community representatives whose mission is to promote the development and implementation of open source software solutions within U.S. Federal, state and local government agencies. It is aligned with the Open Technology Research Consortium to provide the OSSI Working Group to facilitate communication and collaboration between government adopters of open source solutions and the industry and OSS community entities that develop and support these technologies. The OSSI Working Group addresses strategic issues, tactical challenges and potential opportunities regarding information assurance and cyber security and the continued adoption of open source solutions within Federal, state and local government systems. Some of the supported efforts are:
- the Homeland Open Security Technology (HOST) program of the U.S. Department of Homeland Security which investigates open security methods, models and technologies and identify viable and sustainable approaches that support national cyber security objectives.
- the Open Source Corporate Management Information System (OSCMIS) which is a collaborative effort with the U.S. Department of Defense's Defense Information Systems Agency (DISA).