Software Security Assurance

What is Software Security Assurance?

Software Security Assurance (SSA) is the process of ensuring that software is designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects.

The Software Security Assurance process begins by identifying and categorizing the information that is to be contained in, or used by, the software. The information should be categorized according to its sensitivity. For example, in the lowest category, the impact of a security violation is minimal (i.e. the impact on the software owner's mission, functions, or reputation is negligible). For a top category, however, the impact may pose a threat to human life; may have an irreparable impact on software owner's missions, functions, image, or reputation; or may result in the loss of significant assets or resources.

Once the information is categorized, security requirements can be developed. The security requirements should address access control, including network access and physical access; data management and data access; environmental controls (power, air conditioning, etc.) and off-line storage; human resource security; and audit trails and usage records.

What Causes Software Security Problems?

Security problems related to software are usually caused by one of two reasons:

   1. Non-conformance, or a failure to satisfy requirements

   2. An error or omission in the software requirements

Non-conformance, or Failure to Satisfy Requirements

A non-conformance may be simple; the most common is a coding error or defect, or more complex (i.e., a subtle timing error or input validation error). The important point about non-conformances is that verification and validation techniques are designed to detect them and security assurance techniques are designed to prevent them. Improvements in these methods through a software security assurance program can improve the security of software.

Errors or Omissions in Requirements

The most serious security problems with software-based systems are those that develop when the software requirements are incorrect, inappropriate, or incomplete for the system situation.

Unfortunately, errors or omissions in requirements are more difficult to identify. For example, the software may perform exactly as required, but the requirements do not correctly deal with some system state. When the system enters the undefined state, unexpected and undesirable behavior may result.

This type of problem cannot be handled within the software discipline; it results from a failure of the system and software engineering processes which developed and allocated the system requirements to the software.

Copyright 2008 - France BtoB from Wikipédia