Information Assurance Domains & Defining Software Assurance

Information assurance and security are a compilation of two other domains. The first domain is systems assurance. Systems assurance is the practice of hardening operating systems from known threats, analyzing and auditing hardware and devices for known threats, and remediating the devices and computing platforms within the enterprise. For instance, proper configuration and defensive strategies employed for protecting a network and specifically a router would be considered systems assurance. Ensuring that user accounts are active and properly used with permissions inside of the enterprise would be considered systems assurance. Creating an operational environment that is physically secure and emissions secure is part of systems assurance. There are several other topics that would fit within the systems assurance role, but as a discipline it is rapidly maturing.

The second domain of information assurance appears to be more diffuse. Software assurance is a selection of sub disciplines merged into a practice. Software assurance is the practice of requirements gathering, secure coding, testing, auditing, and implementation of software in the enterprise protecting against known vulnerabilities. Software assurance is the preparation of source code such that known vulnerabilities are excluded from the product. Software assurance is also about preparing robust source code so that unknown vulnerabilities create secure failure conditions. Preparation can include auditing of commercial of the shelf software (COTS), or free open source software (F/OSS) being implemented within the enterprise, or third party prepared/contracted source code.

Software assurance includes normally associated computer science topics such as Software Engineering (SE), Software Quality Assurance (SQA), Highly Assured Computing (HAC), Capability Maturity Model (CMM), and other development lifecycle issues. Further software assurance includes domain crossing topics such as end of life cycle, maintenance, retirement, reusability, and legacy adaptation strategies. Software assurance definitively includes practice oriented computing concepts including secure coding, threat modeling, vulnerability analysis, implementation, auditing, and defensive integration of software within the enterprise.

Reference:

Software Assurance Guidebook, NASA-GB-A201

Secure Coding Principles and Practices, Van Wyk & Graff

Writing Secure Code, Howard & LeBlanc

Programming .Net Security, Freeman & Jones

Secure Programming Cookbook for C and C++, Viega & Messier

Software Forensics, Slade

Static analysis and computer security: New techniques for software assurance (Doctoral Dissertation), Wagner

Leave a Reply