Trustworthy Software Foundation

The Trustworthy Software Foundation
Founded	2016
Type	Not For Profit Foundation
Focus	Software Development
Location	London, United Kingdom;
Origins	Trustworthy Software Initiative (TSI)
Area served	Worldwide
Method	Standards and their Verification
Key people	Alastair Revell (Chairman)
Website	www.tsfdn.org

Last updated April 14, 2024

The Trustworthy Software Foundation (TSFdn)^[1] is a UK not-for-profit organisation, with stated aim of improving software.^{[ citation needed ]}

History

TSFdn evolved from a number of previous activities:

A study by the Cabinet Office, Central Sponsor for Information Assurance (CSIA) in 2004-5 which identified a pervasive lack of secure software development practices as a matter for concern
A Department of Trade and Industry (DTI – predecessor of BIS) Global Watch Report in 2006 which noted a relative lack of secure software development practices in the UK
The Technology Strategy Board (TSB) Cyber Security Knowledge Transfer Network (CSKTN) Special Interest Group (SIG) on Secure Software Development (SSD, 2007–8)
The TSB / Foreign and Commonwealth Office (FCO) Science and Innovation Network (SIN) Multinational Workshop “Challenges to building in … information security, privacy and assurance”, held in Paris in March 2009
The Secure Software Development Partnership (SSDP) Study Period, funded jointly by the UK government' TSB and the Centre for the Protection of National Infrastructure (CPNI) organisations, which ran in 2009-2010
The Trustworthy Software Initiative (TSI—originally Software Security, Dependability and Resilience Initiative—SSDRI), a UK public good activity sponsored^[2] by CPNI between 2011 and 2016

Objectives

TSFdn primarily aims to provide a living backbone for signposting to diverse but often obscure sources of Good Practice, with a secondary objective to address other aspects of the 2009 Trustworthy Software Roadmap.^[3]

Trustworthiness

TSI considers that there are five facets of trustworthiness:

Safety - The ability of the system to operate without harmful states
Reliability - The ability of the system to deliver services as specified
Availability - The ability of the system to deliver services when requested
Resilience - The ability of the system to transform, renew, and recover in timely response to events
Security - The ability of the system to remain protected against accidental or deliberate attacks

This definition of trustworthiness is an extension of a widely used definition of dependability,^[4] adding as a 5th Facet of Resilience based on the UK Government approach.^[5]

Governance and Operation

TSFdn operates as a not-for-profit Company Limited by Guarantee, jointly owned by the subscriber organisations – UK professional bodies.^[6]

It is based at the Cyber Security Centre of the University of Warwick, and is formally linked to a cross section of stakeholders through the Advisory Committee on Trustworthy Software (ACTS).

The Technical Lead remains Ian Bryant, the Technical Director of the predecessor TSI, and the Chair of the ACTS is Sir Edmund Burton KBE,^[7] who was the President of the predecessor TSI.

Activities

Updating its Trustworthy Software Framework (TSFr), originally published as British Standards (BS) Publicly Available Specification (PAS) 754, into a British Standard (through BSI Project Committee ICT/00-/09, Chaired by Ian Bryant)
Continuing to engage with partners for promulgation of Software Trustworthiness across Education, in particular through the IAP, BCS and the IET

Related Research Articles

Security is protection from, or resilience against, potential harm. Beneficiaries of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or phenomenon vulnerable to unwanted change.

In systems engineering, dependability is a measure of a system's availability, reliability, maintainability, and in some cases, other characteristics such as durability, safety and security. In real-time computing, dependability is the ability to provide services that can be trusted within a time-period. The service guarantees must hold even when the system is subject to attacks or natural failures.

Secure by design, in software engineering, means that software products and capabilities have been designed to be foundationally secure.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

The Information Trust Institute (ITI) was founded in 2004 as an interdisciplinary unit designed to approach information security research from a systems perspective. It examines information security by looking at what makes machines, applications, and users trustworthy. Its mission is to create computer systems, software, and networks that society can depend on to be trustworthy, meaning secure, dependable, correct, safe, private, and survivable. ITI's stated goal is to create a new paradigm for designing trustworthy systems from the ground up and validating systems that are intended to be trustworthy.

The National Protective Security Authority (NPSA), formerly the Centre for the Protection of National Infrastructure (CPNI), is the national technical authority in the United Kingdom for physical and personnel protective security, maintaining expertise in counter terrorism as well as state threats.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature".

Lieutenant-General Sir Edmund Fortescue Gerard Burton KBE is a former British Army officer who became Deputy Chief of the Defence Staff (Systems).

Nexor Limited is a privately held company based in Nottingham, providing products and services to safeguard government, defence and critical national infrastructure computer systems. It was originally known as X-Tel Services Limited.

The Cyber Security Division (CSD) is a division of the Science and Technology Directorate (S&T Directorate) of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.

The United Kingdom has a diverse cyber security community, interconnected in a complex network.

The Indian Computer Emergency Response Team is an office within the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cyber security incidents. It strengthens security-related defence of the Indian Internet domain.

The Institution of Analysts and Programmers is a professional body that represents those working in Systems Analysis, Design, Programming and implementation of computer systems both in the United Kingdom and internationally. Established in 1972 it has supported system developers across the world.

BS PAS 754:2014 is a British Standards Institution (BSI) software Publicly Available Specification, published in May 2014. BS PAS 754:2014 was withdrawn following the publication of BS 10754-1:2018 in February 2018.

Ian Bryant is a British academic, engaged in promoting Trustworthy Software and Systems, and in Standardisation.

The National Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. It is the UK's National technical authority for cyber threats and Information Assurance Based in London, it became operational in October 2016, and its parent organisation is GCHQ.

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks. Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness, which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements.

References

↑ Trustworthy Software Foundation, retrieved 2017-04-20
↑ Protecting and promoting the UK in a digital world: 2 years on – Government Press Release, retrieved 12 December 2013
↑ About TSFdn, retrieved 2017-04-20
↑ "Software Engineering", I Sommerville, (9th Edition Feb 2010), ISBN 978-0137053469
↑ CPNI: Security Minded Approach, retrieved 2017-04-20
↑ About TSFdn, retrieved 2017-04-20
↑ About TSFdn, retrieved 2017-04-20

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Trustworthy Software Foundation, retrieved 2017-04-20

[2] Protecting and promoting the UK in a digital world: 2 years on – Government Press Release, retrieved 12 December 2013

[3] About TSFdn, retrieved 2017-04-20

[4] "Software Engineering", I Sommerville, (9th Edition Feb 2010), ISBN 978-0137053469

[5] CPNI: Security Minded Approach, retrieved 2017-04-20

[6] About TSFdn, retrieved 2017-04-20

[7] About TSFdn, retrieved 2017-04-20

[1]

[2]

[3]

[4]

[5]

[6]

[7]