The Department of Homeland Security's (DHS) Software Assurance Program seeks to leverage the advancement of tools and technologies in the effort to provide more secure and reliable software to the U.S. Government. Today, enabling technologies exist that automate review of artifacts generated across the entire software development life cycle (SDLC).
The Technology and Tools Working Group (T&T WG) is sponsored by DHS. Its overall goal is to assist in bringing software assurance tools and technologies into the government's effort to improve the speed and accuracy of software assurance evaluation and certification of COTS, GOTS and open source software.
With a variety of such tools in the marketplace today, the methodology for combining them to help make a software assurance case is still not well defined. There exists no tool interoperability standard for sharing information gathered by tools across the SDLC. Financial questions exist as to how to best combine different classes of tools to provide the most effective return on investment to their users. Additionally, the level of capability among similar tools varies greatly from one to another, although this may not be apparent to the end user of the tools. Today, there is no federation of software assurance testing laboratories or tool/technique repositories to facilitate a more automated approach to software assurance certification. This working group is working toward addressing all of the above needs to bring software assurance tools and technology into the mainstream of the SDLC.
The Technology and Tools Working Group is a key component of DHS's effort to leverage the activities and knowledge of the communities that represent the state of software assurance today. Its primary objectives are to evaluate, improve and promote software assurance through tools and technology.
Software assurance evaluations that leverage tool technologies are a fundamental goal of the working group. In order to promote the automation of software assurance evaluations, the working group must be able to
- create a T&T roadmap to software assurance goals
- specify dictionaries for low-level descriptions of software weakness, attack patterns and terminology
- measure the functionality and capability of SwA tools through
- functional specifications
- test suites
- tool metrics
- define tool-related metrics and measures for making a software assurance case
- support the development of consortiums for
- SwA evaluations
- SwA tool users
Recognizing that automation of the software assurance process is still an emerging technology, the working group identifies gaps in current tool research and recommends areas where more research is needed to DHS.
The working group also serves as a focal point for presentations of the latest research and technology in software assurance. Paper presentations, tool demonstrations and facilitated working group discussions of enabling technologies are the foundation for promoting software assurance automation.
Recent Releases and Updates
The March/April issue of CrossTalk, sponsored by the DHS Office of Cybersecurity and Communications (CS&C), includes the article"New ISO/IEC Technical Report describes Vulnerabilities in Programming Languages." The work discussed in the article is sponsored by the CS&C Software Assurance Program.
Common Weakness Enumeration (CWE) is now available. International in scope and free for public use, CWE provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems. CWE also provides a better understanding and management of software weaknesses related to architecture and design. CWE and other security-related enumerations are accessible via Making Security Measurable, which publishes collaboration efforts aimed at improving the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories. The other listed activities and initiatives have similar concepts or compatible approaches. Together all of these efforts are helping to make security more measurable by defining the concepts that need to be measured, providing for high fidelity communications about the measurements, and providing for sharing of the measurements and the definitions of what to measure.
To assist in enhancing security throughout the software development lifecycle, and to support the needs of developers, testers and educators, the Common Attack Pattern Enumeration and Classification (CAPEC) is another of these efforts sponsored by DHS CS&C as part of the Software Assurance strategic initiative. The objective of this effort is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy. Linked with CWE, this CAPEC site contains the initial set of content and will continue to evolve with public participation and contributions to form a standard mechanism for identifying, collecting, refining, and sharing attack patterns among the software community.
The BSI article Adapting Penetration Testing for Software Development Purposes has been updated.
For more information, contact the DHS Software Assurance Office at software.assurance [at] dhs.gov.
To join the Software Assurance Technology and Tools Working Group, see the instructions for joining a working group.