SwA in Education, Training & Certification - US-Cert
SwA in Education, Training & Certification - US-Cert
SwA in Education, Training & Certification - US-Cert
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Case for Software Assurance <strong>Education</strong><br />
Software assurance has become critical because dramatic <strong>in</strong>creases <strong>in</strong> bus<strong>in</strong>ess and mission risks are now attributable<br />
to exploitable software.<br />
» Software size and complexity obscures <strong>in</strong>tent and precludes exhaustive test<strong>in</strong>g.<br />
» Outsourc<strong>in</strong>g and use of un-vetted software supply cha<strong>in</strong>s <strong>in</strong>creases risk.<br />
» Attack sophistication now eases exploitation.<br />
These factors contribute to the <strong>in</strong>crease of risks to software-enabled capabilities and the threat of asymmetric attack. A<br />
broad range of stakeholders now need confidence that the software which enables their core bus<strong>in</strong>ess operations can<br />
be trusted to perform (even under attempted exploitation).<br />
In their report to the President, <strong>in</strong> the chapter entitled “Software Is a Major Vulnerability”, the President‟s Information<br />
Technology Advisory Committee (PITAC) summed up the problem of non-secure software concisely and accurately:<br />
“Network connectivity provides “door-to-door” transportation for attackers, but vulnerabilities <strong>in</strong> the software<br />
resid<strong>in</strong>g <strong>in</strong> computers substantially compound the cyber security problem. As the PITAC noted <strong>in</strong> a 1999 report,<br />
the software development methods that have been the norm fail to provide the high quality, reliable, and secure<br />
software that the Information Technology <strong>in</strong>frastructure requires.<br />
Software development is not yet a science or a rigorous discipl<strong>in</strong>e, and the development process by and large is<br />
not controlled to m<strong>in</strong>imize the vulnerabilities that attackers exploit. Today, as with cancer, vulnerable software can<br />
be <strong>in</strong>vaded and modified to cause damage to previously healthy software, and <strong>in</strong>fected software can replicate<br />
itself and be carried across networks to cause damage <strong>in</strong> other systems. Like cancer, these damag<strong>in</strong>g processes<br />
may be <strong>in</strong>visible to the lay person even though experts recognize that their threat is grow<strong>in</strong>g. And as <strong>in</strong> cancer,<br />
both preventive actions and research are critical, the former to m<strong>in</strong>imize damage today and the latter to establish a<br />
foundation of knowledge and capabilities that will assist the cyber security professionals of tomorrow reduce risk<br />
and m<strong>in</strong>imize damage for the long term.<br />
Vulnerabilities <strong>in</strong> software that are <strong>in</strong>troduced by mistake or poor practices are a serious problem today. In the<br />
future, the Nation may face an even more challeng<strong>in</strong>g problem as adversaries - both foreign and domestic –<br />
become <strong>in</strong>creas<strong>in</strong>gly sophisticated <strong>in</strong> their ability to <strong>in</strong>sert malicious code <strong>in</strong>to critical software.”<br />
It is clear that to produce, acquire, and susta<strong>in</strong> secure software, a framework that identifies workforce needs for<br />
competencies, leverages sound practices, and guides curriculum development for education and tra<strong>in</strong><strong>in</strong>g relevant to<br />
software assurance is <strong>in</strong>evitable. Because software quality assurance and software eng<strong>in</strong>eer<strong>in</strong>g have evolved bodies<br />
of knowledge that do not explicitly address security as a quality attribute, a workforce education and tra<strong>in</strong><strong>in</strong>g framework<br />
must also identify the <strong>in</strong>tegration po<strong>in</strong>t of secure software development techniques and practices <strong>in</strong> the exist<strong>in</strong>g<br />
programs nationwide.<br />
Resources<br />
» President‟s Information Technology Advisory Committee (PITAC) Report, Cyber Security: A Crisis<br />
of Prioritization, February 2005<br />
Software Assurance Pocket Guide Series:<br />
Life Cycle Support, Volume I – Version 2.2, Mar 16, 2011<br />
Software Assurance <strong>in</strong> <strong>Education</strong>, Tra<strong>in</strong><strong>in</strong>g & <strong><strong>Cert</strong>ification</strong><br />
5