Trustworthy Software Foundation

Last updated

The Trustworthy Software Foundation
TypeNot For Profit Foundation
FocusSoftware Development
  • London, United Kingdom
OriginsTrustworthy Software Initiative (TSI)
Area served
MethodStandards and their Verification
Key people
Alastair Revell (Chairman)

The Trustworthy Software Foundation (TSFdn) [1] is a UK not-for-profit organisation, with stated aim of improving software.[ citation needed ]



TSFdn evolved from a number of previous activities:


TSFdn primarily aims to provide a living backbone for signposting to diverse but often obscure sources of Good Practice, with a secondary objective to address other aspects of the 2009 Trustworthy Software Roadmap. [3]


TSI considers that there are five facets of trustworthiness:

This definition of trustworthiness is an extension of a widely used definition of dependability, [4] adding as a 5th Facet of Resilience based on the UK Government approach. [5]

Governance and Operation

TSFdn operates as a not-for-profit Company Limited by Guarantee, jointly owned by the subscriber organisations – UK professional bodies. [6]

It is based at the Cyber Security Centre of the University of Warwick, and is formally linked to a cross section of stakeholders through the Advisory Committee on Trustworthy Software (ACTS).

The Technical Lead remains Ian Bryant, the Technical Director of the predecessor TSI, and the Chair of the ACTS is Sir Edmund Burton KBE, [7] who was the President of the predecessor TSI.


Related Research Articles

Software Engineering Institute

The Software Engineering Institute (SEI) is an American research and development center headquartered in Pittsburgh, Pennsylvania. Its activities cover cybersecurity, software assurance, software engineering and acquisition, and component capabilities critical to the Department of Defense.

Security Degree of resistance to, or protection from, harm

Security is freedom from, or resilience against, potential harm caused by others. Beneficiaries of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change.

In systems engineering, dependability is a measure of a system's availability, reliability, maintainability, and in some cases, other characteristics such as durability, safety and security. In real-time computing, dependability is the ability to provide services that can be trusted within a time-period. The service guarantees must hold even when the system is subject to attacks or natural failures.

Secure by design Software engineering approach, in which the alternate security strategies, tactics and patterns are first evaluated; among them, the best are selected and enforced by the architecture design, and then used as guiding principles for developers

Secure by design, in software engineering, means that software products and capabilities have been designed to be foundationally secure.

Software assurance (SwA) is defined as "the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner."

Cybersecurity standards Technology standards and techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization

Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The Information Trust Institute (ITI) was founded in 2004 as an interdisciplinary unit designed to approach information security research from a systems perspective. It examines information security by looking at what makes machines, applications, and users trustworthy. Its mission is to create computer systems, software, and networks that society can depend on to be trustworthy, meaning secure, dependable, correct, safe, private, and survivable. ITI's stated goal is to create a new paradigm for designing trustworthy systems from the ground up and validating systems that are intended to be trustworthy.

Centre for the Protection of National Infrastructure (CPNI) is the United Kingdom government authority which provides protective security advice to businesses and organisations across the national infrastructure.

In our modern society, computerized or digital control systems have been used to reliably automate many of the industrial operations that we take for granted, from the power plant to the automobiles we drive. However, the complexity of these systems and how the designers integrate them, the roles and responsibilities of the humans that interact with the systems, and the cyber security of these highly networked systems have led to a new paradigm in research philosophy for next-generation control systems. Resilient Control Systems consider all of these elements and those disciplines that contribute to a more effective design, such as cognitive psychology, computer science, and control engineering to develop interdisciplinary solutions. These solutions consider things such as how to tailor the control system operating displays to best enable the user to make an accurate and reproducible response, how to design in cybersecurity protections such that the system defends itself from attack by changing its behaviors, and how to better integrate widely distributed computer control systems to prevent cascading failures that result in disruptions to critical industrial operations. In the context of cyber-physical systems, resilient control systems are an aspect that focuses on the unique interdependencies of a control system, as compared to information technology computer systems and networks, due to its importance in operating our critical industrial operations.


Nexor Limited is a privately held company based in Nottingham, providing product and services to safeguard government, defence and critical national infrastructure computer systems. It was originally known as X-Tel Services Limited.

DHS Cyber Security Division

The Cyber Security Division (CSD) is a division of the Science and Technology Directorate of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.

The cyber security community in the United Kingdom is diverse, with many stakeholders groups contributing to support the UK Cyber Security Strategy. The following is a list of some of these stakeholders.

The Institution of Analysts and Programmers is a professional body that represents those working in Systems Analysis, Design, Programming and implementation of computer systems both in the United Kingdom and internationally. Established in 1972 it has supported system developers across the world.

BS PAS 754:2014 is a British Standards Institution (BSI) software Publicly Available Specification, published in May 2014. BS PAS 754:2014 was withdrawn following the publication of BS 10754-1:2018 in February 2018.

Ian Bryant (academic) British computer scientist

Ian Bryant is a British academic, engaged in promoting Trustworthy Software, and in Standardisation.

Egress Software Technologies Ltd is a UK-based software company. It provides a range of data security services designed to protect shared information throughout its lifecycle, offering on-demand security for organisations and individuals sharing confidential information electronically.

The National Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Based in London, it became operational in October 2016, and its parent organisation is GCHQ.

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite adverse cyber events.

Software development security

Security, as part of the software development process, is an ongoing process involving people and practices, and ensures application confidentiality, integrity, and availability. Secure software is the result of security aware software development processes where security is built in and thus software is developed with security in mind.

Code Dx refers to both a software company and its flagship product, a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools.


  1. Trustworthy Software Foundation, retrieved 2017-04-20
  2. Protecting and promoting the UK in a digital world: 2 years on – Government Press Release, retrieved 12 December 2013
  3. About TSFdn, retrieved 2017-04-20
  4. "Software Engineering", I Sommerville, (9th Edition Feb 2010), ISBN   978-0137053469
  5. CPNI: Security Minded Approach, retrieved 2017-04-20
  6. About TSFdn, retrieved 2017-04-20
  7. About TSFdn, retrieved 2017-04-20