Check out this presentation by Dr. Ken Nidiffer of the Software Engineering Institute (SEI) at Carnegie Mellon University – presented at the STC 2017 Conference at NIST.  According to NDAA 2013, Section 933  “Software assurance provides the required level of confidence that software functions as intended (and no more) and is free of vulnerabilities, either intentionally or unintentionally designed or inserted in software throughout the lifecycle.”

It was clear from this and several other presentations at the conference that the way to achieve software assurance is to integrate it thoroughly into the system acquisition lifecycle.  Nidiffer detailed some of the potential challenges to accomplishing this integration:

  • Increasing complexity of software – DoD needs to be able to operate between layers, between networks, between domains, between environments
  • Unique operations missions and business needs – concerns about the consequences of integrating commercial projects into military systems
  • Solving the vulnerability identification chasm – 84% of breaches exploit vulnerabilities in the application yet funding for IT defense vs software assurance is 23 to 1
  • Addressing system sustainment – when does sustainment start; how to deal with rising costs, recertification and retesting, dynamic operating environments, legacy environments, life cycle software assurance activities
  • Understanding attack patterns, vulnerabilities and weaknesses – defining software assurance attributes to satisfy information needs
  • Increasing vulnerabilities – dealing with Common Vulnerabilities and Exposures (CVEs - - publicly reported and known), Zero Day Vulnerabilities (unreported or undiscovered) and Common Weaknesses and Exposures (CWE – weaknesses that are possibly exploitable)
  • Software quality designed in – applying special emphasis up front to address software assurance
  • Reduction of technical debt – understanding where technical debt creates weaknesses and vulnerabilities – addressing early in the life cycle
  • Infancy of software engineering discipline – improving the workforce by developing software core competencies and a DoD career field in software engineering.

Software is an essential part of the DoDs military power as well as the building block of modern society.  According to Nidiffer, the dynamics of software is constantly in a state of flux, some of the reasons for this are …

  • Software is ubiquitous and growing in importance
  • Code bases are increasing
  • Vulnerabilities (defects,flaws) are increasing\
  • More and more of system function is represented by software
  • Software reliant systems are more complex and intertwined
  • Software assurance is increasingly important and achieving it is a moving target

While recognizing the importance of software assurance it is also important that decisions makers understand how much is enough in the context of each particular software- intensive system.  Questions that must be considered….

  • How much is “enough  software assurance”
  • How much does “enough” cost
  • Is “enough” affordable

Nidiffer wrapped up with the following recommendations for the software community:

  • More robust approach to software assurance
  • Decision makers savvy about how to achieve software assurance
  • When things go wrong - capitalize on opportunities for making better decisions next time – focus on what happened, why how to solve the problem, how to evaluate that it has been solved
  • Enable an engineering based approach focused on designing in software assurance
  • DoD should add software engineering with software assurance core competencies as a career field

This talk contains a huge amount of information on the important points to consider when thinking about software assurance – you should check it out!