The intended primary and secondary audiences for this document can be best described in terms of the readers’ professional roles.
1.3.1 Primary Audience
The primary audience for this document includes—
u Software practitioners involved in the conception, implementation, and assessment of software, especially software used in DoD and other US
Software Security Assurance State-of-the-Art Report (SOAR) 9
Section 1 Introduction
Federal Government agencies, or in the improvement of processes by which such software is conceived, implemented, and assessed.
u Researchers in academia, industry, and government who are investigating methods, processes, techniques, or technologies for producing software that is secure, or for assuring the security of software during and/or after its creation.
1.3.2 Secondary Audiences
Readers in the following roles are the intended secondary audiences for this document—
u Systems Engineers and Integrators: This document should expand the knowledge of these readers, enabling them to broaden and deepen their systems- or architectural-level view of software-intensive systems to include both the recognition and understanding of the security properties, threats, and vulnerabilities to which the individual software components that compose their systems are subject, as well as the impact of those properties, threats, and vulnerabilities on the security of the system as a whole.
u Information Assurance Practitioners: These include developers of policy and guidance, risk managers, certifiers and accreditors, auditors, and evaluators. The main objective for such readers is to expand their understanding of information security risks to include a recognition and understanding of the threats and vulnerabilities that are unique to the software components of an information system. Specifically, this audience should be able to understand how vulnerable software can be subverted or sabotaged in order to compromise the confidentiality, integrity, or availability of the information processed by the system.
u Cyber Security and Network Security Practitioners: The objective of these readers is to recognize and understand how network operations can be compromised by threats at the application layer—threats not
addressed by countermeasures at the network and transport layers. Of particular interest to such readers will be an understanding of
application security, a discipline within software security assurance, and also the benefit that software assurance activities, techniques, and tools offer in terms of mitigating the malicious code risk.
u Acquisition Personnel: The objectives for readers in the system and
software acquisition community are trifold: to obtain a basis for defining security evaluation criteria in solicitations for commercial software applications, components, and systems, and contracted software development services; to identify security evaluation techniques that should be applied to candidate software products and services before acquiring them; to understand the specific security concerns associated
Software Security Assurance State-of-the-Art Report (SOAR)
10
Section 1 Introduction
with offshore development of commercial and open source software, and with outsourcing of development services to non-US firms.
u Managers and Executives in Software Development Organizations and Software User Organizations: This document should help them recognize and understand the software security issues that they will need to address, and subsequently develop and implement effective plans and allocate adequate resources for dealing with those issues.
1.4 Scope
This SOAR focuses on the numerous techniques, tools, programs, initiatives, etc., that have been demonstrated to successfully—
u Produce secure software, or
u Assure that secure software has been produced (whether by a commercial or open source supplier or a custom-developer).
Also covered are techniques, tools, etc., that have been proposed by a respected individual or organization (e.g., a standards body) as being likely to be successful, if adopted, in achieving either of the two objectives above.
Techniques and tools for implementing information security functions (such as authentication, authorization, access control, encryption/
decryption, etc.) in software-intensive systems will not be discussed, except to the extent that such techniques and tools can be applied, either “as is” or with adaptations or extensions, to secure the software itself rather than the information it process. For example, a tool for digitally signing electronic documents would be considered out of scope unless that tool could also be used for code signing of binary executables before their distribution. Out of scope entirely is how to assure information security functions in software-based systems at certain Common Criteria (CC) Evaluation Assurance Levels (EAL). Techniques, tools, etc., that focus on improving software quality, reliability, or safety are considered in scope only when they are used with the express purpose of improving software security.
To keep this document focused and as concise as possible, we have
excluded discussions of techniques that are expressly intended and only used to achieve or assure another property in software (e.g., quality, safety) regardless of the fact that sometimes, as a purely coincidental result, use of such techniques also benefits the software’s security.
In short, this document discusses only those methodologies, techniques, and tools that have been conceived for or adapted/reapplied for improving software security. Each SOAR discussion of an adapted/reapplied method, technique, or tool will include—
u A brief overview of the tool/technique as originally conceived, in terms of its nature and original purpose. This overview is intended to provide context so that the reader has a basis for understanding the difference
Software Security Assurance State-of-the-Art Report (SOAR) 11
Section 1 Introduction
between the technique/tool as originally conceived and its software security-oriented adaptation.
u A longer description of how the tool/technique has been adapted and can now help the developer achieve one or more software security objectives.
This description represents the main focus and content of the discussion.
This SOAR also reports on numerous initiatives, activities, and projects in the public and private sectors who focus on some aspects of software security assurance.
The software addressed in this SOAR is of all types, system-level and application-level, information system and noninformation system, individual components and whole software-intensive systems, embedded and nonembedded.