1.1.2 Software Process
The first books enumerating steps to produce software appeared in the early 1960’s – if not earlier. Software process has been an active area of work in industry, research, and government ever since – within this has been significant work on processes for high-dependability systems. Today, a plethora of books contain general-purpose practices and processes. These range from lightweight processes placing few requirements on developers to heavyweight ones that provide a high level of guidance, discipline, and support. [Boehm 2003] Generally and not surprisingly, success in producing high-dependability systems aimed at safety or security has been greater with software processes closer to the heavyweight end of the spectrum and performed by highly skilled people.
Three things aid in reliably producing secure software: [Redwine 2004, p. 3]
1. An outstanding software process performed by skilled people
2. A sound mastery of the relevant security expertise, practices, and technology
3. The expert management required to ensure the resources, organization, motivation, and discipline for success
Across these aspects skilled people may be the highest leverage element. Achieving these skills, however, requires considerable knowledge beyond that already required for simply a good software engineering process.
Defines standard
Replaced/Superseded by document(s)
Cancelled by
Amended by
File | MIME type | Size (KB) | Language | Download | |
---|---|---|---|---|---|
Secure Software Assurance- Common Body of Knowledge for Development, Sustainment, and Acquisition.doc | application/msword | 1.25 MB | English | DOWNLOAD! |
Provides definitions
Introduction
This preface provides a history of the motivations, activities, and documents design rationales for this report – Secure Software Common Body of Knowledge. Those interested in the substance rather than the rationale will find it useful to proceed directly to the Introduction on page 1. The number and variety of attacks by persons and malicious software from outside organizations, particularly via the Internet, are increasing rapidly, and the amount and consequences of insider attacks remain serious. Over 90% of security incidents reported to the CERT Coordination Center result from defects in software requirements, design, or code.
{GRS – somewhat interesting, but it does not appear necessary, why bother?}In 2003, under the leadership of Joe Jarzombek, then Deputy Director for Software Assurance, Information Assurance Directorate, Office of Assistant Secretary of Defense (Networks and Information Integration), DoD launched a Software Assurance Initiative. In 2004, the Department of Homeland Security joined in collaboration with this Initiative. Joe Jarzombek moved in March 2005 to Director for Software Assurance, National Cyber Security Division, Information Analysis and Infrastructure Protection, Department of Homeland Security but retains his leadership role in the collaborative interagency Software Assurance Initiatives. This report was produced under his leadership.