DETROIT – If you don?t know about Software Assurance yet, you will. The National Strategy to Secure Cyberspace mandates that the Department of Homeland Security must??Facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.?

The national Software Assurance Program is the initiative that will ensure that this is being practiced in every business organization in the United States.

The goal of Software Assurance is to eliminate exploitable vulnerabilities in code. The task of identifying and fixing those vulnerabilities has been compared to ?finding a needle in a haystack?. In fact the more accurate analogy might be, ?finding a particular piece of hay in a haystack?, since it is almost impossible to tell the difference between insecure code and secure code in a properly running system. The tendency for businesses to develop large, complex software systems through global outsourcing and over un-vetted supply chains only complicates the problem.

However the stakes are incredibly high. Since most of our critical infrastructure is run by software controls and our business and national defense is almost completely dependent on software, a serious attack by a determined enemy could easily produce another 9/11-style disaster. As such, DHS has put together a broad scale initiative that involves the private sector, academia, and other government agencies.

Its aim is to develop a comprehensive set of procedures to ensure secure practice for all people, process and technology throughout the lifecycle. The outcome will be an enhanced ability to develop and deploy software that is: trustworthy (no exploitable vulnerabilities exist, either maliciously or unintentionally inserted), predictable (justifiable confidence that software, when executed, functions in a manner in which it is intended), and conformant (systematic, multi-disciplinary practices to ensure that software processes and products conform to requirements, and applicable standards or procedures).

The primary mechanism for communicating this is the SwA Common Body of Knowledge (CBK) This CBK will continue to evolve and provide practical guidance to software developers, architects, and educators on how to improve the quality, reliability, and security of software. It also provides a framework to identify workforce needs for competencies, leverage ?best practices,? and guide curriculum development for Software Assurance education and training.

Faculty from the University of Detroit Mercy have participated in the production of this CBK from the beginning and they are currently involved in an effort to roll it out in the State of Michigan. This is being done through the auspices of the newly formed International Cyber-Security Education Coalition (IC-SEC). IC-SEC is jointly sponsored by both the National Security Agency and the Department of Homeland Security.

It is a coalition of seven community college districts in Michigan and Ohio and the two university Centers of Academic Excellence in Michigan (UDM and EMU). The aim is to establish and administer targeted training and education programs that will make this new knowledge available to any organization within the State.

In conjunction with this initiative, Joe Jarzombek, who is the DHS National Director for Software Assurance came to town to kick off the program for the IC-SEC membership. His presentation focused on the need to retool present academic curricula to incorporate the minimum responsible practice that could be expected for proper secure acquisition, development and sustainment activity.

The Software Assurance Body of Knowledge (SWABOK) was distributed and the IC-SEC participant schools and they were briefed on how they could contribute to DHS software assurance initiatives. If you want additional information about this initiative, or an IC-SEC, contact [email protected]

This column was written by Dan Shoemaker, Ph.D., Director Centre for Assurance Studies

University of Detroit Mercy.