Processes and Practices Working Group
Build Security In contains and links to best practices, tools, guidelines, rules, principles, and other resources, such as articles about assurance cases, that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
Capability Maturity Model Integration (CMMI)
CERT Survivability Analysis Framework (SAF) efforts
DHS Software Assurance Landscape (preliminary draft)
IATAC/DACS Software Security Assurance state of the art report
International Systems Security Engineering Association (ISSEA)
ISO/IEC 12207: Information technology -- Software life cycle processes
ISO/IEC 15288: Systems engineering -- System life cycle processes
ISO/IEC 15504 (Parts 1-5): Process assessment
ISO/IEC 21827, System Security Engineering Capability Maturity Model (SSE CMM)
ISO/IEC 15443 (FRITSA), A framework for IT security assurance
ISO/IEC TR 19791, Security Assessment of Operational Systems
Intended Relationships of Key Software and Systems Engineering Process Standards
NSA CAS Software Assurance Landscape
Open Software Assurance Maturity Model
The Open Software Assurance Maturity Model (OpenSAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
OWASP Guide Project
The Open Web Application Security Project (OWASP) Development Guide allows businesses, developers, designers, and solution architects to produce secure web applications. If done from the earliest stages, secure applications cost about the same to develop as insecure applications, but are far more cost effective in the long run.
OWASP Code Review Project
The OWASP Code Review Guide is a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.
OWASP Application Security Verification Standard Project
The OWASP Application Security Verification Standard (ASVS) Project normalizes the range of coverage and rigor available in the market when it comes to performing web application security verification using a commercially workable open standard. ASVS provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. ASVS can also be used to establish a level of confidence in the security of web applications.
OWG: Vulnerabilities (OWGV) – ISO/IEC Project 22.24772: Guidance for Avoiding Vulnerabilities through Language Selection and Use. Comparative guidance spanning multiple programming languages. Goal: Avoidance of programming errors that lead to vulnerabilities.
"Process Improvement Should Link to Security": SEPG 2007 Security Track Recap
Process Reference Model for Assurance Mapping to CMMI-DEV V1.2. June 2008 Draft from industry working group formed to explore options and strategies for extending CMMI for assurance concerns.
Researching “How to acquire, design, build, and compose software components and systems to support the survivability of a business process”
Running an ongoing effort to identify opportunities to collaborate with other initiatives for aligning with SSE CMM to promote mature security capability among system and software developers
SAFECode whitepapers
- Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today
- Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain
Safety and Security Considerations for Component- Based Engineering of Software-Intensive Systems whitepaper
Safety and Security Extensions for Integrated Capability Maturity Models
Software Assurance Best Practices for Air Force Weapon and Information Technology Systems – Are We Bleeding? Thesis by Ryan A. Maxon, Major, USAF, Air Force Institute of Technology, AFIT/GIR/ENV/08-M13, March 2008
Software Assurance Self-Assessment
Software Security Assurance: A Framework for Software Vulnerability Management and Audit provides information needed to identify, measure, remediate, and manage specific security vulnerabilities in online systems.
Survivability Assurance for System of Systems
The Unfortunate Reality of Insecure Libraries
By Jeff Williams, CEO,
Arshan Dabirsiaghi, Director of Research,
Aspect Security
80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. In partnership with Sonatype, our researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central ("Central") Repository and discovered that 26% of these have known vulnerabilities. Every organization should be concerned about the security of the components that they use and trust to run their business. The study focuses only on open-source Java libraries, but there is no reason to believe that the data for other languages and platforms would be significantly different. Similarly, our experience in evaluating the security of hundreds of custom applications indicates that the findings are likely to apply to closed-source and commercial libraries as well.
Workshop on Assurance with CMMI—Briefings, August 2007
- Collaboration Through the Software Assurance Forum
- Assurance in Models and Standards Panel –Relationships Between Models and Standards
- ISO/IEC 21827, Systems Security Engineering Capability Maturity Model (SSE-CMM): A Process Driven Framework for Assurance
- Motorola Secure Software Development Model (MSSDM) Lessons Learned
- Lockheed Martin’s Move to Assurance: Software Safety and Security Certification Best Practices
- Leveraging Multiple Standards to Achieve Organizational Goals: Booz Allen Hamilton's Process Improvement Program
- CMMI Update: Beyond V1.2
- 30 Years of Software Assurance: What we have learned, and what we haven’t
- Operational Security in Software Development
- Considering Operational Security Risk During System Development
- Software Assurance