Software assurance

Last updated August 11, 2024

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products.^[1] It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).^[2]

Initiatives
Why does software assurance matter?
Execution
Techniques
Tools
Alternate definitions
United States Department of Homeland Security (DHS)
United States Department of Defense (DoD)
Software Assurance Metrics and Tool Evaluation (SAMATE) project
National Aeronautics and Space Administration (NASA)
Object Management Group (OMG)
Software Assurance Forum for Excellence in Code (SAFECode)
See also
References
External links

Another vital aspect of software assurance is testing, which should be conducted at various stages of the software development process and can include functional testing, performance testing, and security testing.^[3] Testing helps to identify any defects or vulnerabilities in software products before they are released. Furthermore, software assurance involves organizational and management practices like risk management and quality management to ensure that software products meet the needs and expectations of stakeholders.^[4]

Software assurance aims to ensure that software is free from vulnerabilities and functions as intended, conforming to all requirements and standards governing the software development process.^[3] Additionally, software assurance aims to produce software-intensive systems that are more secure. To achieve this, a preventive dynamic and static analysis of potential vulnerabilities is required, and a holistic, system-level understanding is recommended. Architectural risk analysis plays an essential role in any software security program, as design flaws account for 50% of security problems, and they cannot be found by staring at code alone.^[5]

By following industry-accepted standards and best practices, incorporating testing and management practices, and conducting architectural risk analysis, software assurance can minimize the risk of system failures and security breaches, making it a critical aspect of software development.

Initiatives

Software assurance initiatives are programs and activities designed to ensure the quality, reliability, and security of software systems. These initiatives are important because software is used in a wide range of applications, from business operations to critical infrastructure, and defects or vulnerabilities in software can have serious consequences.

There are several types of software assurance initiatives, including:

Certification and accreditation: These programs establish standards and guidelines for software development, and verify that software products meet these standards. Certification and accreditation can help to ensure that software products are reliable, secure, and compliant with regulations and industry standards.^[6]
Training and education: These initiatives provide software developers with the knowledge and skills they need to create high-quality, secure software. Training and education can include courses on software testing, secure coding practices, and industry standards and best practices.^[7]
Code analysis and testing: These initiatives use tools and techniques to analyze software code and identify defects or vulnerabilities. Code analysis and testing can include static analysis, dynamic analysis, and fuzz testing, among other techniques.^[8]
Threat modeling and risk assessment: These initiatives assess the potential risks and threats to a software system, and identify strategies for mitigating these risks. Threat modeling and risk assessment can help to ensure that software systems are designed to be resilient to attacks and other threats.^[21]

Why does software assurance matter?

In today's digital world, software is used to control a wide range of devices and systems, including cars, medical devices, financial systems, and military equipment. Ensuring the reliability, safety, and security of software products is therefore critical. Without proper testing and verification, software can contain defects and vulnerabilities that can lead to system failures, security breaches, and other serious problems with negative consequences for individuals, businesses, and society as a whole.^[9]

The National Institute of Standards and Technology (NIST) defines software assurance as "the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner"^[22]. Organizations can reduce the risk of costly system failures, data breaches, and other negative outcomes by ensuring software assurance.

In addition to the potential risks associated with software defects and vulnerabilities, there are legal and regulatory requirements related to software assurance. Failure to comply with these regulations can result in legal and financial penalties. For example, organizations that develop software for certain industries may be subject to regulations that require them to ensure the safety and security of their products.

Many critical functions, such as national defense, banking, healthcare, telecommunications, aviation, and control of hazardous materials, depend on the correct and predictable operation of software.^[10] If the software-intensive systems that support these activities fail, they could be seriously disrupted. Therefore, it is essential for organizations to implement software testing and verification techniques and tools to reduce the risk of system failures and security breaches.

Execution

Software assurance is executed through a series of activities that aim to ensure the reliability, safety, and security of software products. These activities include requirements analysis, design reviews, code inspections, testing, and formal verification.^[1]

Requirements analysis involves identifying and defining the functional and non-functional requirements of the software product. This includes understanding the purpose of the software, its intended users, and any relevant standards or regulations that must be met.^[11]
Design reviews involve evaluating the software design to ensure that it meets the requirements and is implementable. This includes checking for design flaws, errors, or omissions that could impact the software's reliability, safety, or security.^[24]
Code inspections involve reviewing the code to ensure that it conforms to industry-accepted standards and best practices. This includes checking for code quality, readability, and maintainability, as well as identifying potential vulnerabilities or security issues.^[2]
Testing involves executing the software to identify defects or vulnerabilities that could impact its reliability, safety, or security. This includes functional testing, performance testing, and security testing, among other types of testing.^[3]
Formal verification involves using mathematical or logical methods to prove that the software behaves as intended and does not contain any defects or vulnerabilities. This includes techniques such as model checking, theorem proving, and static analysis.^[1]

Techniques

Software testing and verification are techniques used to identify and address defects and vulnerabilities in software code. There are several types of testing and verification techniques, including functional testing, performance testing, and security testing.^[3]

Machine learning is increasingly used in software assurance to detect software problems. With the ability to analyze large volumes of data, machine learning can identify patterns and anomalies that may go unnoticed by humans. The use of machine learning can ultimately improve the quality and security of software.^[12]
Functional testing is used to ensure that the software performs the functions it is intended to perform. This type of testing involves running the software and testing its features and functionality to ensure that it works as expected. ^[4]
Performance testing is used to measure the speed, responsiveness, and stability of the software. This type of testing involves simulating real-world scenarios to ensure that the software can handle the load and perform well under various conditions. ^[4]
Security testing is used to identify vulnerabilities and weaknesses in the software that could be exploited by attackers. This type of testing involves using various techniques to attempt to breach the security of the software, such as penetration testing and vulnerability scanning.^[3]
In addition to testing, verification techniques are used to ensure that the software code is correct and free of defects. This includes techniques such as code reviews, formal verification, and static analysis. ^[1]
Code reviews involve checking the code to ensure that it conforms to industry-accepted standards and best practices. This includes checking for code quality, readability, and maintainability, as well as identifying potential vulnerabilities or security issues.^[2]
Formal verification involves using mathematical or logical methods to prove that the software behaves as intended and does not contain any defects or vulnerabilities. This includes techniques such as model checking, theorem proving, and static analysis. ^[1]
Static analysis involves analyzing the software code without executing it, to identify potential defects or vulnerabilities. This includes techniques such as code analysis tools and code inspections.^[2]

Tools

Software testing and verification tools are used to identify and address defects and vulnerabilities in software code. There are several types of testing and verification tools, including:

Artificial intelligence (AI) is increasingly being used in software assurance to identify and address defects and vulnerabilities in software code. AI techniques such as machine learning and natural language processing can be used to automate testing and verification processes, making them faster and more efficient.^[13]
Static analysis tools: These tools analyze the source code of a software application without executing it, to identify potential defects or vulnerabilities. Static analysis tools can be used to detect issues related to code quality, security, and compliance with coding standards.^[14]
Dynamic analysis tools: These tools analyze the behavior of a software application while it is running, to identify defects or vulnerabilities that may not be apparent in the source code. Dynamic analysis tools can be used to detect issues related to performance, memory usage, and security.^[25]
Fuzz testing tools: These tools generate random input to a software application, to test its resilience to unexpected or malformed data. Fuzz testing tools can be used to detect issues related to input validation, memory management, and security.^[25]
Penetration testing tools: These tools simulate attacks on a software application, to identify vulnerabilities that could be exploited by attackers. Penetration testing tools can be used to detect issues related to security, such as SQL injection, cross-site scripting, and buffer overflows.^[15]
Test management tools: These tools are used to manage the software testing process, including test case creation, execution, and reporting. Test management tools can help to ensure that all required tests are conducted, and that defects are tracked and resolved.^[24]

Alternate definitions

United States Department of Homeland Security (DHS)

According to the DHS, software assurance addresses:

Trustworthiness - no exploitable vulnerabilities exist, either maliciously or unintentionally inserted;
Predictable Execution - justifiable confidence that software, when executed, functions as intended;
Conformance - planned and systematic set of multi-disciplinary activities that ensure software processes and products conform to requirements, standards/ procedures.

Contributing SwA disciplines, articulated in bodies of knowledge and core competencies: software engineering, systems engineering, information systems security engineering, information assurance, test and evaluation, safety, security, project management, and software acquisition.^[16]

Software assurance is a strategic initiative of the US Department of Homeland Security (DHS) to promote integrity, security, and reliability in software. The SwA Program is based upon the National Strategy to Secure Cyberspace - Action/Recommendation 2-14:

“DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.”^[17] There are open-source software tools for software assurance that help identify potential security vulnerabilities.^[18]

United States Department of Defense (DoD)

For the DoD, SwA is defined as "the level of confidence that software functions only as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle.^[19] DoD is developing SwA as a sound systems engineering practice as demonstrated by two recent publications funded by JFAC with development led by the Software Engineering Institute (SEI) and expert practitioners within the Military Services and NSA. The Program Manager's SwA Guidebook shows how SwA should be planned, resourced, and managed while the Developer's SwA Guidebook recommends tailorable technical practices throughout the life cycle.^[20] Both of these documents are the first of their kind, and awarded.^[21] The two enterprise-scale organizations in DoD building SwA capability are the Joint Federated Assurance Center (JFAC)^[22] and the DoD SwA Community of practice which has operated as a quarterly collegial forum 32 consecutive gatherings. Both are open to other parts of the US Government. The JFAC Charter is available at its website. To develop wider situational awareness of the families of SwA tools commercially available, JFAC funded the Institute for Defense Analysis (IDA) to produce the State of the Art Resource (SOAR).^[23] A recent innovation in "engineering-in" SwA throughout the life cycle is coupling selected NIST 800-53 controls to engineering tasks so that the engineering results define the Risk Management Framework (RMF) and drive the Authority to Operate (ATO). A package including Data Item Descriptions (DIDs), machine-readable vulnerability report formats, and a brief overviewing application of the techniques is available at the JFAC website. Other disruptive innovations are in process.

Software Assurance Metrics and Tool Evaluation (SAMATE) project

According to the NIST SAMATE project,^[24] software assurance is "the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures to help achieve:

Trustworthiness - No exploitable vulnerabilities exist, either of malicious or unintentional origin, and
Predictable Execution - Justifiable confidence that software, when executed, functions as intended."

National Aeronautics and Space Administration (NASA)

According to NASA, software assurance is a "planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures. It includes the disciplines of quality assurance, quality engineering, verification and validation, nonconformance reporting and corrective action, safety assurance, and security assurance and their application during a software life cycle." The NASA Software Assurance Standard also states: "The application of these disciplines during a software development life cycle is called software assurance."^[25]

Object Management Group (OMG)

According to the OMG, software assurance is “justifiable trustworthiness in meeting established business and security objectives.”^[26]

OMG's SwA Special Interest Group (SIG),^[27] works with Platform and Domain Task Forces and other software industry entities and groups external to the OMG, to coordinate the establishment of a common framework for analysis and exchange of information related to software trustworthiness by facilitating the development of a specification for a Software Assurance Framework ^[28] that will:

Establish a common framework of software properties that can be used to represent any/all classes of software so software suppliers and acquirers can represent their claims and arguments(respectively), along with the corresponding evidence, employing automated tools (to address scale)
Verify that products have sufficiently satisfied these characteristics in advance of product acquisition, so that system engineers/integrators can use these products to build (compose) larger assured systems with them
Enable industry to improve visibility into the current status of software assurance during development of its software
Enable industry to develop automated tools that support the common framework.

Software Assurance Forum for Excellence in Code (SAFECode)

According to SAFECode, software assurance is “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.”^[29]

Related Research Articles

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

<span class="mw-page-title-main">Software testing</span> Checking software against a standard

Software testing is the act of checking whether software satisfies expectations.

Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change. If not, that would be called a regression.

In computer science, program analysis is the process of automatically analyzing the behavior of computer programs regarding a property such as correctness, robustness, safety and liveness. Program analysis focuses on two major areas: program optimization and program correctness. The first focuses on improving the program’s performance while reducing the resource usage while the latter focuses on ensuring that the program does what it is supposed to do.

Code review is a software quality assurance activity in which one or more people check a program, mainly by viewing and reading parts of its source code, either after implementation or as an interruption of implementation. At least one of the persons must not have authored the code. The persons performing the checking, excluding the author, are called "reviewers".

In software project management, software testing, and software engineering, verification and validation is the process of checking that a software engineer system meets specifications and requirements so that it fulfills its intended purpose. It may also be referred to as software quality control. It is normally the responsibility of software testers as part of the software development lifecycle. In simple terms, software verification is: "Assuming we should build X, does our software achieve its goals without any bugs or gaps?" On the other hand, software validation is: "Was X what we should have built? Does X meet the high-level requirements?"

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

In the context of software engineering, software quality refers to two related but distinct notions:

Software quality assurance (SQA) is a means and practice of monitoring all software engineering processes, methods, and work products to ensure compliance against defined standards. It may include ensuring conformance to standards or models, such as ISO/IEC 9126, SPICE or CMMI.

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Software safety is an engineering discipline that aims to ensure that software, which is used in safety-related systems, does not contribute to any hazards such a system might pose. There are numerous standards that govern the way how safety-related software should be developed and assured in various domains. Most of them classify software according to their criticality and propose techniques and measures that should be employed during the development and assurance:

Software security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software. Software is itself a resource and thus must be afforded appropriate security.

Quality engineering is the discipline of engineering concerned with the principles and practice of product and service quality assurance and control. In software development, it is the management, development, operation and maintenance of IT systems and enterprise architectures with high quality standard.

Requirements traceability is a sub-discipline of requirements management within software development and systems engineering. Traceability as a general term is defined by the IEEE Systems and Software Engineering Vocabulary as (1) the degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or primary-subordinate relationship to one another; (2) the identification and documentation of derivation paths (upward) and allocation or flowdown paths (downward) of work products in the work product hierarchy; (3) the degree to which each element in a software development product establishes its reason for existing; and (4) discernible association among two or more logical entities, such as requirements, system elements, verifications, or tasks.

In software engineering, a software development process or software development life cycle is a process of planning and managing software development. It typically involves dividing software development work into smaller, parallel, or sequential steps or sub-processes to improve design and/or product management. The methodology may include the pre-definition of specific deliverables and artifacts that are created and completed by a project team to develop or maintain an application.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Development testing is a software development process that involves synchronized application of a broad spectrum of defect prevention and detection strategies in order to reduce software development risks, time, and costs.

This article discusses a set of tactics useful in software testing. It is intended as a comprehensive list of tactical approaches to software quality assurance and general application of the test method.

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

References

↑ Stavrou, A., Bos, H., Portokalidis, G., & van der Meyden, R. (2017). Software assurance: a roadmap. 60(1), 71-79: Communications of the ACM.{{cite book}}: CS1 maint: location (link) CS1 maint: multiple names: authors list (link)
↑ SEI (n.d). CERT Secure Coding Standards. Software Engineering Institute.
↑ ISO (2015). ISO/IEC/IEEE 12207:2015 - Systems and software engineering -- Software life cycle processes. ISO.
↑ IEEE (2019). IEEE 730-2019 - IEEE Standard for Software Quality Assurance Processes. IEEE.
↑ McGraw, Gary (2006). Software Security: Building Security In. Addison-Wesley. p. 75. ISBN 0-321-35670-5.
↑ "Software assurance: What is it and why do I need it?" (PDF). Department of Homeland Security.
↑ Threat Modeling. Microsoft.
↑ "NICE Cybersecurity Workforce Framework". NIST. National Institute of Standards and Technology. November 13, 2019.
↑ "Software Assurance". National Institute of Standards and Technology (NIST).
↑ "Software Assurance". Software Engineering Institute (SEI).
↑ IEEE (2018). IEEE 1012-2016 - IEEE Standard for System and Software Verification and Validation. IEEE.
↑ H. Guissouma, A. Lauber, A. Mkadem, E. Sax (2019). "Virtual Test Environment for Efficient Verification of Software Updates for Variant-Rich Automotive Systems". 2019 IEEE International Systems Conference (Sys Con). IEEE. pp. 1–8. doi:10.1109/SYSCON.2019.8836898. ISBN 978-1-5386-8396-5. S2CID 199015634.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ J. Gao, C. Tao, D. Jie ĺ, S. Luĺ (2019). What is AI Software Testing? and Why. 2019 IEEE International Conference on Service-Oriented System Engineering (SOSE).{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Gligoric, M., Lopes, C. V., & Pasareanu, C. S. Software testing and analysis in the real world. Communications of the ACM. p. 58(4), 66-75.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Kim, J., Kantarcioglu, M., & Thuraisingham, B. (2016). Security and privacy challenges in big data. Journal of Big Data. p. 3(1), 1-14.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Build Security In Home (December 2, 2011). "DHS Build Security In web portal". Buildsecurityin.us-cert.gov. Archived from the original on May 17, 2006. Retrieved May 8, 2013.
↑ Build Security In Home (December 2, 2011). "Build Security In Home". Buildsecurityin.us-cert.gov. Archived from the original on May 17, 2006. Retrieved May 8, 2013.
↑ "Open source (software) assurance tools". Archived from the original on September 11, 2014.
↑ PUBLIC LAW 112–239—JAN. 2, 2013, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2013, section 933.
↑ https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538756 and https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538771
↑ and https://www.isc2.org/News-and-Events/Press-Room/Posts/2019/06/17/ISC2-Announces-2019-Information-Security-Leadership-Awards-Government-Winners
↑ PUBLIC LAW 113–66—DEC. 26, 2013, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2014, section 937
↑ "State of the art resources". IDA. Retrieved September 27, 2023.
↑ "Main Page - SAMATE project". Samate.nist.gov. Retrieved May 8, 2013.
↑ NASA-STD-2201-93 Archived July 2, 2006, at the Wayback Machine "Software Assurance Standard", November 10, 1992
↑ OMG Software Assurance (SwA) Special Interest Group (SIG) http://adm.omg.org/SoftwareAssurance.pdf Archived September 29, 2011, at the Wayback Machine and http://swa.omg.org/docs/softwareassurance.v3.pdf Archived October 12, 2006, at the Wayback Machine
↑ "Omg Swa Sig". Swa.omg.org. February 26, 2010. Archived from the original on December 3, 2020. Retrieved May 8, 2013.
↑ CISQ compliant IT system omg.org ^{[ dead link ]}
↑ "Software Assurance: An Overview of Current Industry Best Practices" (PDF). Archived from the original (PDF) on May 13, 2013. Retrieved May 8, 2013.

External links

DHS "Build Security In" information resource
DHS SwA Community of Practice portal
NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project
Object Management Group SwA SIG Archived December 3, 2020, at the Wayback Machine
Software Assurance Forum for Excellence in Code (SAFECode)
NASA Software Assurance Guidebook and Standard (see quality assurance in IEEE 610.12 IEEE Standard Glossary of Software Engineering Terminology).
Software Security Assurance State of the Art Report (SOAR)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Stavrou, A., Bos, H., Portokalidis, G., & van der Meyden, R. (2017). Software assurance: a roadmap. 60(1), 71-79: Communications of the ACM.{{cite book}}: CS1 maint: location (link) CS1 maint: multiple names: authors list (link)

[2] SEI (n.d). CERT Secure Coding Standards. Software Engineering Institute.

[3] ISO (2015). ISO/IEC/IEEE 12207:2015 - Systems and software engineering -- Software life cycle processes. ISO.

[4] IEEE (2019). IEEE 730-2019 - IEEE Standard for Software Quality Assurance Processes. IEEE.

[5] McGraw, Gary (2006). Software Security: Building Security In. Addison-Wesley. p. 75. ISBN 0-321-35670-5.

[6] "Software assurance: What is it and why do I need it?" (PDF). Department of Homeland Security.

[7] Threat Modeling. Microsoft.

[8] "NICE Cybersecurity Workforce Framework". NIST. National Institute of Standards and Technology. November 13, 2019.

[9] "Software Assurance". National Institute of Standards and Technology (NIST).

[10] "Software Assurance". Software Engineering Institute (SEI).

[11] IEEE (2018). IEEE 1012-2016 - IEEE Standard for System and Software Verification and Validation. IEEE.

[12] H. Guissouma, A. Lauber, A. Mkadem, E. Sax (2019). "Virtual Test Environment for Efficient Verification of Software Updates for Variant-Rich Automotive Systems". 2019 IEEE International Systems Conference (Sys Con). IEEE. pp. 1–8. doi:10.1109/SYSCON.2019.8836898. ISBN 978-1-5386-8396-5. S2CID 199015634.{{cite book}}: CS1 maint: multiple names: authors list (link)

[13] J. Gao, C. Tao, D. Jie ĺ, S. Luĺ (2019). What is AI Software Testing? and Why. 2019 IEEE International Conference on Service-Oriented System Engineering (SOSE).{{cite book}}: CS1 maint: multiple names: authors list (link)

[14] Gligoric, M., Lopes, C. V., & Pasareanu, C. S. Software testing and analysis in the real world. Communications of the ACM. p. 58(4), 66-75.{{cite book}}: CS1 maint: multiple names: authors list (link)

[15] Kim, J., Kantarcioglu, M., & Thuraisingham, B. (2016). Security and privacy challenges in big data. Journal of Big Data. p. 3(1), 1-14.{{cite book}}: CS1 maint: multiple names: authors list (link)

[16] Build Security In Home (December 2, 2011). "DHS Build Security In web portal". Buildsecurityin.us-cert.gov. Archived from the original on May 17, 2006. Retrieved May 8, 2013.

[17] Build Security In Home (December 2, 2011). "Build Security In Home". Buildsecurityin.us-cert.gov. Archived from the original on May 17, 2006. Retrieved May 8, 2013.

[18] "Open source (software) assurance tools". Archived from the original on September 11, 2014.

[19] PUBLIC LAW 112–239—JAN. 2, 2013, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2013, section 933.

[20] ttps://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538756 and https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538771

[21] ttps://www.isc2.org/News-and-Events/Press-Room/Posts/2019/06/17/ISC2-Announces-2019-Information-Security-Leadership-Awards-Government-Winners

[22] PUBLIC LAW 113–66—DEC. 26, 2013, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2014, section 937

[23] "State of the art resources". IDA. Retrieved September 27, 2023.

[24] "Main Page - SAMATE project". Samate.nist.gov. Retrieved May 8, 2013.

[25] NASA-STD-2201-93 Archived July 2, 2006, at the Wayback Machine "Software Assurance Standard", November 10, 1992

[26] OMG Software Assurance (SwA) Special Interest Group (SIG) http://adm.omg.org/SoftwareAssurance.pdf Archived September 29, 2011, at the Wayback Machine and http://swa.omg.org/docs/softwareassurance.v3.pdf Archived October 12, 2006, at the Wayback Machine

[27] "Omg Swa Sig". Swa.omg.org. February 26, 2010. Archived from the original on December 3, 2020. Retrieved May 8, 2013.

[28] CISQ compliant IT system omg.org ^{[ dead link ]}

[29] "Software Assurance: An Overview of Current Industry Best Practices" (PDF). Archived from the original (PDF) on May 13, 2013. Retrieved May 8, 2013.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]