Today’s post is authored by Prof.  Howard A. Schmidt, SAFECode Executive Director

Today’s news of the availability of our Principles for Software Assurance Assessment is a key milestone and deliverable in SAFECode’s mission to increase trust in information and communications technology products and services through the advancement of proven software assurance methods.

The key benefits of the paper are two-fold. First, it helps organizations become more effective in assessing software security assurance by giving them the information they need to understand how to assess the right things. Second, it provides a method for assessing software security assurance in a repeatable and scalable fashion for both the vendor and the customer. Essentially, it offers a foundational starting point from which companies are in a better position to ask the right questions about security and risk and build a more productive security-focused dialogue between suppliers and customers going forward.

Why now? Well, at SAFECode, we know all too well that organizations have been increasingly concerned about security and sophisticated attacks and how to minimize risk. When acquiring software, customers worry about introducing new vulnerabilities into their IT environments that could compromise customer data, disrupt business services and jeopardize trust. For quite some time, we’ve heard from companies who expressed frustration over the lack of a widely accepted method that was both repeatable and scalable, for assessing the security of acquired software. While many initiatives have formed to tackle this issue at some level, we know that there is not a single practice, tool or checklist that can guarantee better software assurance.

It was clear to us that companies needed an evaluative framework resource to help them select and purchase more secure technology products and enable them to better assess their technology suppliers and manage their broader IT risk. So, over the course of a year, SAFECode gathered feedback on the biggest challenges in dealing with software suppliers, identified what is most helpful in the risk assessment process and what provided the most assistance in helping companies meet their requirements for effective security assessment. We took that feedback and combined it with an analysis of what SAFECode member organizations actually see and do in their day-to-day software assurance efforts.   To broaden our perspective, we worked collaboratively with other stakeholders, including non-vendor enterprises, testing tool vendors and referred to FS-ISAC work to inform us on managing the security of acquired software. From that research and extensive collaboration process, we were able to create the Principles for Software Assurance Assessment  as the answer to the market need, the customer and supplier questions and the many organizational security assurance concerns.

Our paper is different from other initiatives because it was created as a framework (not an evaluative checklist) for thinking about security assurance concerns with a process-based assessment for adopting best practice strategies. One of the most important things our collective experience has taught us is that software security comes from a secure development process. So, the paper provides a framework for examining the secure development process of commercial technology providers and is centered on a process-based approach that benefits both customers and suppliers. It identifies what types of things vendors can and cannot assert and explains why a process matters more than a checklist, which can sometimes be counterproductive. Using the Principles for Software Assurance Assessment, organizations can gauge the maturity of a vendor’s software security process and review the merits and fit of different solutions as part of a supplier assessment.

As a security-focused organization, SAFECode works to not only to improve software security practices, but also to better communicate and demonstrate to customers what these best practices mean for their risk management efforts. We believe more transparency in software assurance practices is essential for key stakeholders to manage risk more easily and effectively.

We encourage you to download the Principles for Software Assurance Assessment and use it as a resource for software security assurance assessment. We welcome your feedback and comments on our paper and if you have something to add to the conversation, consider joining our efforts. For further discussion on this topic, I would encourage you to read today’s release as well as my past related blog post on the issue as well as the past blog post from Steve Lipner and Eric Blaize and stay tuned for more.