SkipNavigation
U.S.Department of Homeland Security

Software Assurance

Software Assurance Resources

These are the resources listed on all SwA working group Resources pages plus other publications, Web sites, standards, briefings, and other information related to software assurance, listed by date. The Software Assurance Pocket Guide series and frequently updated websites are listed separately.

Software Assurance Glossary provides definitions of relevant terms as found in various source publications and standards.

More resources are available to those who join a Software Assurance working group.

Software Assurance Pocket Guide Series

Learn about software assurance in acquisition and outsourcing, software assurance in development, and the software assurance life cycle by downloading our free SwA Pocket Guide Series.

EXPLOIT AND VULNERABILITY DATABASES

National Vulnerability Database
Open Source Vulnerability Database
Exploit Database

ENUMERATIONS AND LANGUAGES FOR SOFTWARE SECURITY

Common Attack Pattern Enumeration and Classification (CAPEC)
Common Weakness Enumeration (CWE™)
Malware Attribute Enumeration and Characterization (MAEC)

SwA Whitepapers

Cyber Security Reports

Open Source Resources

Websites

CERT Software Assurance resources

CERT Survivability Analysis Framework (SAF)

Department of Homeland Security (DHS): Cybersecurity

International Systems Security Engineering Association (ISSEA)

Making Security Measurable

Object Management Group Software Assurance SIG

SAFECode, the Software Assurance Forum for Excellence in Code

Software Assurance Consortium

Software Assurance Metrics and Tool Evaluation Project (SAMATE)

Top

Resources by Date

2012
2011
2009
2008
2007
2006
2005
2004
2003
2002
2001 and earlier

2012

Coates, Michael, Groves, Dennis, Melton, John, Watson, Colin. “Creating Attack-Aware Software Applications with Real-Time Defenses.” CrossTalk—The Journal of Defense Software Engineering, Vol. 24, No. 5, Sep/Oct 2011.

2011

Stempfley, Bobbie. “Securing Tomorrow’s Software.” The Blog @ Homeland Security, June 27, 2011.

Reitinger, Philip. “Enabling Distributed Security in Cyberspace.” The Blog @ Homeland Security, March 23, 2011.

2009

Mead, Nancy R. et al. Making the Business Case for Software Assurance, April 2009.

2008

Davidson, Mary Ann. "Who Pushed Vendors Toward Better Security?" CIO, December 4, 2008.

Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008.

Practical Measurement Framework for Software Assurance and Information Security, Version 1.0, October 2008.

SwA Acquisition Working Group. Software Assurance (SwA) in Acquisition: Mitigating Risks to the Enterprise, October 2008.

Allen, Julia H., Barnum, Sean, Ellison, Robert J., McGraw, Gary, and Mead, Nancy R. Software Security Engineering: A Guide for Project Managers. Boston, MA: Addison-Wesley, May 2008 (ISBN 032150917X).

Ellison, Robert J., Goodenough, John, Weinstock, Charles, & Woody, Carol. Survivability Assurance for System of Systems (CMU/SEI-2008-TR-008). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2008.

Peterson, Terrie and Wagoner, Larry. Software Assurance Glossary. Center for Assured Software, April 7, 2008.

Redwine, Samuel T. Jr. Towards an Organization for Software System Security Principles and Guidelines, version 1.0 (IIIA Technical Paper 08-01). Institute for Infrastructure and Information Assurance, James Madison University, February 2008.

Top

2007

DISA. Security Technical Implementation Guides, December 2007.

ISO/IEC 15443. Information technology -- Security techniques -- A framework for IT security assurance (FRITSA) -- Part 3: Analysis of assurance methods, December 2007.

ISO/IEC CD 27004. Information Security Management Measurements, November 2007.

Software Engineering Institute. CMMI for Acquisition, Version 1.2, November 2007.

Redwine, S. T.; Baldwin, R. O.; Polydys, M. L.; Shoemaker, D. P.; Ingalsbe, J. A.; Wagoner, & L. D. Software Assurance: A Curriculum Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software. Washington, DC: Department of Homeland Security, October 2007.

Outbrief at DHS SwA Forum, October 2007.

National Defense Industrial Association (NDIA). Systems Assurance—Delivering Mission Success in the Face of Developing Threats, October 2007.

Workforce Education and Training Status Briefing, Software Assurance Forum, October 3, 2007.

NIST Special Publication 800-55 Revision 1, Performance Measurement Guide for Information Security (DRAFT), September 2007.

Report of the Defense Science Board Task Force on Mission Impact of Foreign Software on DoD Software, DoD, September 2007.

Common Criteria for Information Technology Security Evaluation, Part 2: Security functional components, September 2007.

Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance components, September 2007.

Top

Briefings from Workshop on Assurance with CMMI, August 2007

GFIRST panel presentation on Acquisition Working Group Activities, July 2007.

Goertzel, K., et al. Software Security Assurance: A State-of-the-Art Report (SOAR). Herndon, VA: Information Assurance Technology Analysis Center (IATAC) and Defense Technical Information Center (DTIC), July 31, 2007.

ISO/IEC 15939. Systems and Software Engineering - Measurement Process, July 2007.

Acquisition articles on Build Security In, June 2007.

SSE CMM Metrics Overview and SSE CMM Metrics, June 2007.

Office of Management and Budget (OMB) M-07-18. Ensuring New Acquisitions Include Common Security Configurations. Washington, DC: Office of the President, June 1, 2007.

OWASP Guide to Building Secure Web Applications and Web Services (Version 3.0). Columbia, MD: Aspect Security, Inc., June 2007.

Polydys, Mary L. and Wisseman, Stan. "Software Assurance: Five Essential Considerations for Acquisition Officials." CrossTalk—The Journal of Defense Software Engineering, Vol. 20, No. 5, May 2007.

Lewis, J. Foreign Influence on Software. Center for Strategic and International Studies, March 2007.

Martin, R. A. "Being Explicit About Security Weaknesses." CrossTalk—The Journal of Defense Software Engineering, Vol. 20, No. 3, March 2007.

Object Management Group. Knowledge Discovery Metamodel, March 2007.

Intended Relationships of Key Software and Systems Engineering Process Standards, February 2007.

O’Neill, Don. "Calculating Security Return on Investment." Build Security In, 2007.

DHS Software Assurance Landscape (preliminary draft), 2007.

OWG: Vulnerabilities (OWGV) – ISO/IEC Project 22.24772: Guidance for Avoiding Vulnerabilities through Language Selection and Use, 2007.

Top

2006

Global Information Technology Working Group, Committee on National Security Systems (CNSS) 145-06. Framework for Lifecycle Risk Mitigation for National Security Systems in the Era of Globalization. Ft. Meade, MD: National Security Agency, November 2006.

Open Web Application Security Project (OWASP) Secure Software Development Contract Annex, November 2006.

CIO Executive Council. "New CIO Executive Council™ Poll Reveals CIOs Lack Confidence in Software." CIO Executive Council News Bureau, Oct. 11, 2006.

Software Assurance CBK Definitions Matrix, Oct. 11, 2006.

Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model, September 2006.

Goertzel, Karen Mercedes; Winograd, Theodore; McKinley, Holly Lynne; & Holley, Patrick. Security in the Software Lifecycle: Making Software Development Processes – and Software Produced by Them – More Secure, Draft version 1.2. U.S. Department of Homeland Security, August 2006.

Federal Information Processing Standard (FIPS) Publication 201-1. Personal Identity Verification (PIV) for Federal Employees and Contractors. Gaithersburg, MD: National Institute of Standards and Technology (NIST), U.S. Department of Commerce, June 26, 2006.

ISO/IEC TR 19791. Information technology -- Security techniques -- Security assessment of operational systems, May 2006.

ISO/IEC 15504. Information technology -- Process assessment -- Part 5: An exemplar Process Assessment Model, March 2006.

NIST Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.

Epstein, Jeremy, Matsumoto, Scott, and McGraw, Gary. Software Security and SOA: Danger, Will Robinson! February 2006.

Backgrounder on Software Assurance: A Curriculum Guide to the Common Body of Knowledge, 2006.

Bumgarner, J. & Scott, B. The US-CCU Cyber-Security Check List. U.S. Cyber Consequences Unit, 2006.

Control Objectives for Information Technology (COBIT), 2006.

Top

2005

O’Flaherty, T. The Impact of SwA on the Procurement Process. INPUT, TargetVIEW, Volume 1, Issue 10. Reston, VA: INPUT, December 2005.

Wheeler, David A. Open Source Software and Software Assurance, October 2005.

ISO/IEC 15443. Information technology -- Security techniques -- A framework for IT security assurance (FRITSA) -- Part 2: Assurance methods, September 2005.

Federal Information Processing Standard (FIPS) Publication 200. Minimum Security Standard for Federal Information Systems. Gaithersburg, MD: National Institute of Standards and Technology (NIST), U.S. Department of Commerce, July 2005.

NIST Special Publication 800-55. Security Metrics Guide for Information Technology Systems. Gaithersburg, MD: U.S. Department of Commerce, July 2005.

Walker, E. "Software Development Security: A Risk Management Perspective." The DoD Software Tech News—Secure Software Engineering. Vol(8)No(2). Rome, NY: Data & Analysis Center for Software, July 2005.

ISO/IEC 27002. Code of Practice for Information Security Management, June 2005.

Sahinoglu, Mehmet. "Security Meter: A Practical Decision-Tree Model to Quantify Risk." IEEE Security & Privacy Vol. 3, No. 3 (May/June 2005), pp. 18-24. Available on IEEE Digital Library.

ISO/IEC 15443. Information technology -- Security techniques -- A framework for IT security assurance (FRITSA) -- Part 1: Overview and framework, February 2005.

NIST Special Publication 800-53. Recommended Security Controls for Federal Information Systems. Gaithersburg, MD: U.S. Department of Commerce, February 2005.

U.S. President’s Information Technology Advisory Committee. Cyber Security: A Crisis of Prioritization. Arlington, VA: National Coordination Office for Information Technology Research and Development, February 2005.

Corporate Information Security Working Group. Report of the Best Practices and Metrics Teams, January 2005.

Federal Acquisition Regulation, 2005.

ISO/IEC 27001. Information technology -- Security techniques -- Information security management systems -- Requirements, 2005.

ISO/IEC 17799. Information Technology -- Security techniques -- Code of practice for information security management, 2005.

ISO/IEC 17025. General Requirements for the Competence of Testing and Calibration Laboratories, 2005.

ISO/IEC 15408-1. Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model, 2005.

ISO/IEC 15408-2. Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional requirements, 2005.

ISO/IEC 15408-3. Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance requirement, 2005.

Top

2004

Department of Defense. Defense Acquisition Guidebook. Fort Belvoir, VA: Defense Acquisition University, December 2004.

ISO/IEC 15504. Information technology -- Process assessment -- Part 1: Concepts and vocabulary, November 2004.

PDA. Technical Report 32, Auditing of Suppliers Providing Computer Products and Services for Regulated Pharmaceutical Operations. Release 2.0, Volume 58, Number 5, October 2004.

Department of Defense. Interim Report on SwA: Mitigating Software Risks in the DoD IT and National Security Systems, September 2004.

Ibrahim, L., Jarzombek, J., et al. Safety and Security Extensions for Integrated Capability Maturity Models. Washington, DC: Federal Aviation Administration, September 2004.

ISO/IEC 15504. Information technology -- Process assessment -- Part 4: Guidance on use for process improvement and process capability determination, July 2004.

Office of Management and Budget (OMB) M-04-16. Software Acquisition. Washington, DC: Office of the President, July 1, 2004.

ISO/IEC 15504. Information technology -- Process assessment -- Part 3: Guidance on performing an assessment, June 2004.

Defense Acquisitions. Knowledge of Software Suppliers Needed to Manage Risks [GAO-04-678]. Washington, DC: General Accountability Office, May 2004.

GAO-04-678. Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks. GAO, May 25, 2004.

Ross, Ron, Marianne Swanson, Gary Stoneburner, Stu Katzke, and Arnold Johnson. NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Gaithersburg, MD: U.S. Department of Commerce, May 2004.

Defense Acquisitions. Stronger Management Practices are Needed to Improve DoD’s Software-Intensive Weapons Acquisitions [GAO-04-393]. Washington, DC: General Accountability Office, March 2004.

Federal Information Processing Standard (FIPS) Publication 199. Standards for Security Categorization of Federal Information and Information Systems. Gaithersburg, MD: National Institute of Standards and Technology (NIST), U.S. Department of Commerce, February 2004.

Cohen, F. Enterprise Patch Management: Strategies, Tools, and Limitations, January 9, 2004.

ISO/IEC 17011. Conformity assessment—General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies, 2004.

Office of Management and Budget. Standard Form 328, Certificate Pertaining to Foreign Interests, 2004.

Top

2003

Office of Management and Budget (OMB) M-04-04. E-Authentication for Federal Agencies. Washington, DC: Office of the President, December 16, 2003.

Department of Defense Directive (DoDD) 8500.1. Information Assurance (IA). Washington, DC: U.S. Department of Defense, October 24, 2002 (certified current as of November 21, 2003).

ISO/IEC 15504. Information technology -- Process assessment -- Part 2: Performing an assessment, October 2003.

NIST Special Publication 800-36, Guide to Selecting IT Security Products. Gaithersburg, MD: U.S. Department of Commerce, October 2003.

NIST Special Publication 800-64, Rev 1. Security Considerations in the Information System Development Life Cycle. Gaithersburg, MD: U.S. Department of Commerce, October 2003.

National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11. National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products. Fort Meade, MD: U.S. National Security Agency, July 2003.

Committee on National Security Systems (CNSSI) No. 4009. National Information Assurance (IA) Glossary. Ft Meade, MD: National Security Agency, May 2003.

Department of Defense Instruction (DoDI) 5000.2. Operation of the Defense Acquisition System. Washington, DC: U.S. Department of Defense, May 12, 2003.

Software Engineering Institute. SEI Case Study: Computer Supplier Evaluation Practices of the Parental Drug Association (PDA). Technical Report CMU/SEI-2003-TR-011, Software Engineering Institute, May 2003.

Department of Defense Instruction (DoDI) 8500.2. Information Assurance (IA) Implementation. Washington, DC: U.S. Department of Defense, February 6, 2003.

Top

2002

ISO/IEC 21827. System Security Engineering -- Capability Maturity Model (SSE CMM), October 2002.

NIST Special Publication 800-30. Risk Management Guide for Information Technology Systems. Gaithersburg, MD: U.S. Department of Commerce, July 2002.

Federal Information Security Management Act of 2002, 44 U.S.C. § 3541 et seq.

ISO/IEC 15288. Systems engineering -- System life cycle processes, 2002.

Obasanjo, D. The Myth of Open Source Security Revisited v2.0, 2002.

2001 and earlier

Federal Aviation Administration integrated Capability Maturity Model (FAA iCMM), September 2001.

Nuclear Procurement Issues Committee (NUPIC). Document No. 6, Nuclear Procurement Issues Committee Joint Audit Program, July 5, 2001.

Federal Information Processing Standard (FIPS) Publication 140-2. Security Requirements for Cryptographic Modules. Gaithersburg, MD: National Institute of Standards and Technology (NIST), U.S. Department of Commerce, May 2001.

NIST Special Publication 800-23. Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products. Gaithersburg, MD: U.S. Department of Commerce, August 2000.

National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM)/2-00. Advisory Memorandum on the Strategy for Using the National Information Assurance Partnership (NIAP) for the Evaluation of Commercial Off-The-Shelf (COTS) Security Enabled Information Technology Products. Fort Meade, MD: U.S. National Security Agency, February 8, 2000.

DCID 6/3. Protecting Sensitive Compartmented Information Within Information Systems, June 5, 1999.

U.S. President’s Information Technology Advisory Committee. Information Technology Research: Investing in Our Future. Arlington, VA: National Coordination Office for Information Technology Research and Development, February 1999.

NASA. Software Assurance Guidebook and Standard, 1999 (and earlier).

Institute of Electrical and Electronics Engineers (IEEE) Std 1062. Recommended for Software Acquisition, 1998.

ISO/IEC 15026. Information Technology -- System and Software Integrity Levels, 1998.

Clinger-Cohen Act of 1996, Public Law 104-106.

ISO/IEC 12207. Information technology -- Software life cycle processes, 1995.

Department of Defense. A Guide to the Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements – Volume 1 of 4, 1992.

Top