Defining Software Assurance

The term “software assurance” is often used interchangeably with the term “software security” to refer to the practices of avoiding and detecting unintentional vulnerabilities during the software development process.

In a report published on July 29th, 2009 and entitled “The Software Supply Chain Integrity Framework – Defining Risks and Responsibilities for Securing Software in the Global Supply Chain”, SAFECode, The Software Assurance Forum for Excellence in Code, clearly differentiates software assurance from software security. It defines software assurance as the combination of:

  • software security (i.e. the practices of avoiding and detecting unintentional vulnerabilities during the software development process),
  • software authenticity (i.e. the ability for customers to confirm that software is not counterfeit) and,
  • software integrity (i.e. the software functions as the supplier intended with no malicious software intentionally inserted at a point in the software supply chain).

The industry has broadly communicated on defining and implementing a security development lifecycle process that produces secure software. The SAFECode report outlines additional steps that SAFECode members are taking to insert integrity controls in their product development process and in their broader software supply chain management.

While addressing software security means giving a primary focus on software engineering practices, addressing software integrity requires a much broader spectrum of processes and policies beyond software development:

  • Procurement and supplier sourcing
  • Source code and IT environment control
  • Personnel policies
  • Software distribution and maintenance

However, a tight and secure software development process is the key to ensure that these controls are in place throughout the organization.

I encourage all of you to read and download the SAFECode report and to review the software supply chain integrity framework in the context of your organization.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize