Software Assurance (SwA) is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that software functions in the intended manner.
Why Software Assurance Is Critical to Today's Army: Software continues to take on an increasingly pervasive and essential role in Army systems. Mission Critical Defense Systems (MCDS) built with inadequate security and unknown but critical flaws put military data, operations and sensitive information at significant risk, especially given that most of these systems operate on the Department of Defense Information Networks (DoDIN).
Initiative: Adopt common software assurance throughout a POR's life cycle
Improve operational cybersecurity posture
Reduce risks (performance, reliability, security) across the life cycle
Our workforce must be developed to understand what software assurance is and what their role is. It is not just the computer engineers and scientists, everyone involved in the acquisition and software development life cycles have a role to play.
Establishing and gaining adoption of regulations, instructions, tactics, techniques and procedures at all organizational levels.
Establishing and Maintaining a SwA Infrastructure
A good software development infrastructure includes tools and capabilities to enhance software assurance. Automated tools are a necessity given the sheer volume of software lines of code. Visual inspection cannot be depended on.
A well established and executed SwA program delivers Performance, Readiness, and Security. These are the three pillars of strength that SwA can provide to increase overall Cyber Readiness.
SEC's Software Assurance Process
SEC's process begins when we receive source code from our customer. SEC scans the code with a suite of analysis tools.
SEC's Software Assurance experts analyze the individual findings, in order to determine whether they are true vulnerabilities in the application, and how much risk they introduce.
Based on the analysts' assessment, SEC generates actionable reports for developers and executives, to understand the true risk of systems, and how to remediate issues.
SEC's process can be applied as validation after a development effort, or iteratively during the development process, enabling assurance to be "built into" the software throughout its life cycle.
Why a suite of tools? Research has shown that using any one software assurance tool is used on its own generally finds less than 30% of the defects in software. By using multiple tools SEC is able to increase its testing coverage and reduce the residual risk to systems. However, as more tools are used, more findings are identified, so SEC leverages correlation and normalization technology to reduce duplication and generate unified finding lists. This reduces the time required for SEC to perform analysis of systems while ensuring that they have a high level of assurance.