Reducing software security risk through an integrated approach

This paper presents joint work by the California Institute of Technology's Jet Propulsion Laboratory and the University of California at Davis (UC Davis) sponsored by the National Aeronautics and Space Administration Goddard Independent Verification and Validation Facility to develop a security assessment instrument for the software development and maintenance life Cycle. Vulnerabilities in operating systems and software applications render an otherwise secure environment insecure. Any operating system or application added to a secure environment that has exploitable security vulnerabilities affects the security of the whole environment. An otherwise secure system can be compromised easily if the system or application software on it, or on a linked system, has vulnerabilities. Therefore, it is critical that software on networked computer systems be free from security vulnerabilities. Security, vulnerabilities in software arise from a number of development factors; but these vulnerabilities can generally be traced to poor software development practices, new modes of attacks, mis-configurations, and unsecured links between systems. A Software security assessment instrument can aid in providing a greater level of assurance that software is not exposed to vulnerabilities as a result of defective software requirements, designs, code or exposures due to code complexity, and integration with other applications that are network aware. This paper presents research on the generation of a software security assessment instrument to aid developers in assessing and assuring the security of software in the development and maintenance lifecycles. The research presented here is available at: http://security.jpl.nasa.gov/rssr.