![Page 1: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/1.jpg)
Randy BeaversCS 585 – Computer
Security February 19, 2009
![Page 2: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/2.jpg)
Software underpins information infrastructure.
Organizations widely and increasingly use COTS software.
Cyber attacks are becoming more stealthy and sophisticated, creating a complex environment.
Software Assurance:An Overview of Current Industry Best Practices
![Page 3: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/3.jpg)
Vendors have undertaken significant efforts to improve and protect software integrity.
Software Assurance critical to public safety and economic and national security.
Shows how SAFECode members approach software assurance, and how to use best practices for software development.
Software Assurance:An Overview of Current Industry Best Practices
![Page 4: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/4.jpg)
Software Assurance Forum for Excellence in Code. A non-profit organization exclusively dedicate to
increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.
Software Assurance:An Overview of Current Industry Best Practices
![Page 5: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/5.jpg)
EMC Corporation Juniper Networks, Inc. Microsoft Corporation SAP AG Symantec Corporation Website: www.safecode.org
Founded by:
Software Assurance:An Overview of Current Industry Best Practices
![Page 6: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/6.jpg)
The Challenge of Software Assurance and Security
Software Assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intended while mitigating the risks of vulnerabilities, malicious code or defects that could bring harm to the end user.
Software Assurance:An Overview of Current Industry Best Practices
![Page 7: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/7.jpg)
Vital to ensuring the security of critical information.
Information and communications technology vendors have responsibility to address assurance in every stage of application development.
Integrators, operators, and end users share responsibility for ensuring security of critical information systems.
Software Assurance:
Software Assurance:An Overview of Current Industry Best Practices
![Page 8: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/8.jpg)
Software assurance risks faced by users today can be categorized in three areas:
1. Accidental design or implementation errors.
2. The changing technological environment.
3. Malicious insiders.
Software Assurance:An Overview of Current Industry Best Practices
![Page 9: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/9.jpg)
Inadvertently create faulty software design or implementation highlights risk area for:
◦ Hackers◦ Viruses◦ Worms◦ Other malicious attacks
Software Assurance:An Overview of Current Industry Best Practices
Developers address risks through:
oTraining.oUse of secure development practices and tools.
![Page 10: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/10.jpg)
Rapid change and innovation are characteristics of the IT industry.
Criminals can and do innovate also. They have created a complex and lucrative criminal economy.
The process is one of on-going improvement as new threats are created, and new countermeasures developed and implemented.
Software Assurance:An Overview of Current Industry Best Practices
![Page 11: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/11.jpg)
Growing concern that global software development processes could be exploited by a rogue programmer or organized group of programmers.
There are proven best practices that companies use to manage their unique development infrastructure and business models.
Software Assurance:An Overview of Current Industry Best Practices
![Page 12: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/12.jpg)
Vendors have responsibility and business incentive to ensure product assurance and security.
Customers demand software be secure and reliable.
Vendors must protect brand names and company reputations.
Software Assurance:An Overview of Current Industry Best Practices
![Page 13: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/13.jpg)
Software development varies by vendor and unique products, organizational structure, and customer requirements.
No single method that yields software assurance and security.
Regardless, there is a core of best practices for software assurance and security.
Software Assurance:An Overview of Current Industry Best Practices
![Page 14: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/14.jpg)
Software Assurance:An Overview of Current Industry Best Practices
![Page 15: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/15.jpg)
Across SAFECode’s membership, security bestpractices and controls are well established:
Software Assurance:An Overview of Current Industry Best Practices
Security Training Security Documentation
Defining Security Requirements
Security Readiness
Secure Design Security Response
Secure Coding Integrity Verification
Secure Source Code Handling Security Research
Security Testing Security Evangelism
![Page 16: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/16.jpg)
INTEGRATORS. Work in partnership with vendors to mitigate
vulnerabilities. OPERATORS.
Must deploy standard layered defense security measures.
END USERS. Responsible software use a requirement for software
assurance and security.
Software Assurance:An Overview of Current Industry Best Practices
![Page 17: Randy Beavers CS 585 – Computer Security February 19, 2009](https://reader035.vdocuments.us/reader035/viewer/2022070410/56649f1d5503460f94c33c50/html5/thumbnails/17.jpg)
www.safecode.org