Secure Code: Building Trust in a Connected World

In today's digital age, software protects our nation's critical infrastructure, defense systems, and national security assets. The increasing reliance on open-source software, the growing complexity of software systems, and a constantly evolving threat landscape pose significant challenges to ensuring software security and reliability.

The Software Assurance Community of Practice (SwA CoP)

The SwA CoP, an interagency group founded in 2012, unites technology change agents from Government seeking to foster collaboration and share knowledge, best practices, and resources that ensure our software systems' reliability, integrity, and security.

Now comprised of over 300 members from across the Department of Defense (DoD), National Security Agency (NSA), National Nuclear Security Administration (NNSA), the Department of Homeland Security (DHS), and other federal agencies, the SwA CoP brings together subject matter experts every quarter to develop best practices and standards, exchange research and development efforts, and provide guidance on strategies for defense, federal civilian, and critical infrastructure systems.?

The SwA CoP focuses on myriad topics, such as open-source software and artificial intelligence, which can be leveraged for organizational efficiency but also introduce novel security risks throughout the software and technology life cycle. This cross-agency information sharing enables experts to continue developing, disseminating, and securing the tools and technologies that play a vital role in mitigating or preventing the effects of cybercrimes and cyberattacks against our country.?

A Fireside Chat

On December 5th, 2024, the SwA CoP leadership engaged in meaningful discussions about the essential role of software assurance in national security. The event, titled "From Code to Confidence: The Role of Software Assurance in National Security," unfolded at the U.S. Department of Energy's Forrestal Building. This event aimed to tackle the challenges posed by our increasing reliance on open-source software, the complexity of software systems, and the dynamic threat landscape ahead.

Thought Leaders

The fireside chat featured a lineup of esteemed speakers who shared their expertise and insights on the importance of software assurance in national security.

• Ed Jakes, Director of Nuclear Enterprise Assurance at the National Nuclear Security Administration, discussed the role of software assurance in ensuring the reliability and security of nuclear weapons and defense systems.
• Donald Coulter, Senior Science Advisor for Cybersecurity in the Science and Technology Directorate of the U.S. Department of Homeland Security, highlighted the importance of software assurance in preventing cyber-attacks and protecting critical infrastructure.
• Bradley Lanford, Director of Software Assurance at the Office of the Under Secretary of Defense for Research and Engineering, emphasized the need for a comprehensive approach to software assurance, including automation, artificial intelligence, and machine learning.
• Carol Lee, Chief of the Center for Assured Software at the National Security Agency, discussed the Center's role in developing and implementing software assurance standards and best practices.

Key Themes

The event focused on four key themes that are critical to ensuring the safety and security of our nation's critical infrastructure, defense systems, and national security assets:

• Securing the Open-Source Software Ecosystem:?The open-source software (OSS) ecosystem is a community-driven approach to software development, where software is freely available and modifiable by anyone. OSS is characterized by open-source licensing, peer review, and collaboration, which enables transparency, customization, and cost-effectiveness. The OSS ecosystem has benefits such as increased innovation, faster development, and improved security, but it also presents challenges like inconsistent quality and security risks. The increasing reliance on open-source software presents considerable difficulties to software assurance. The event underscored the critical need to secure the open-source software ecosystem and to adopt secure design principles, thereby mitigating the risks of cyberattacks and safeguarding against data breaches.
• Secure By Design. A software development approach that prioritizes security from the outset, integrating security considerations into every stage of the development process to ensure that software is designed and built with security in mind from the very beginning. This approach involves identifying and mitigating potential security risks and vulnerabilities early on, rather than trying to add security measures as an afterthought, to create inherently secure and resilient software. The event highlighted the importance of integrating secure-by-design principles in software development. By doing so, developers can enhance the reliability and integrity of software systems, ultimately ensuring that stronger security measures are in place.
• Software Assurance: Software assurance evaluates the software development process and product to ensure it meets required standards, regulations, and quality attributes. It involves risk analysis, testing, verification, and validation to ensure the software is reliable, secure, and meets user needs. Software assurance is essential to reduce the risk of software failures, improve quality, and increase user confidence, ultimately reducing the cost of software maintenance and support. The event emphasized the critical role of software assurance in safeguarding our nation's critical infrastructure, defense systems, and national security assets. It explored the latest technologies, threats, strategies, and policies related to?software assurance.?
• Technologies, Threats, Strategies, and Policies.?Secure coding practices, threat modeling, and vulnerability scanning underpin software assurance by providing the tools and techniques necessary to identify and mitigate security risks. Threats such as cyber-attacks, data breaches, and insider threats drive the need for software assurance, as they can compromise software systems' confidentiality, integrity, and availability. Strategies such as risk-based testing, secure development life cycles, continuous monitoring, and policies such as compliance with regulatory requirements and industry standards help ensure that software is developed and maintained with security in mind, ultimately supporting software assurance. The event spotlighted new technologies, threats, strategies, and policies related to software assurance, emphasizing the need to stay informed about advancements in the field.

Buzzword Bingo

• Systems Security Engineering?combines systems engineering and security engineering to create and maintain secure systems. It considers security, considering the system's entire lifecycle—from the initial idea to disposal. This approach addresses security needs and potential threats during all stages of development and operation.
• Hierarchical Software Quality Assurance (HSQA)?is a method for ensuring software quality. It uses a structured approach that describes specific roles, responsibilities, and steps for quality assurance. This framework operates at multiple levels within the organization.
• Software Assurance reflects a process that ensures the quality, reliability, and security of software products or systems. It involves activities and techniques that verify and validate the software's design, development, testing, and maintenance to ensure it meets the required standards, regulations, and customer expectations while preventing defects, vulnerabilities, and errors from occurring during the software development lifecycle.
• Secure By Design?is a principle based on the idea that security is not just a technical issue but also a business and organizational issue. It recognizes that security is a critical aspect of software development and that it requires a comprehensive and integrated approach that involves all stakeholders, from developers to customers.

Parting Shots

1. Trustworthy Software is Critical to National Security and Critical Infrastructure. National security relies on the reliable and secure operation of critical infrastructure, such as power grids, water treatment facilities, and financial systems. Software assurance ensures that the software used in these systems is trustworthy, reliable, and secure, reducing the risk of disruptions, outages, and other malicious activity that could compromise national security. By protecting critical infrastructure, software assurance helps to safeguard national security and promote national interests.
2. Software Assurance Protects Against Adversarial Threats to National Security and Critical Infrastructure. Adversarial threats, including nation-state-sponsored cyber attacks, insider threats, and other malicious activity, pose a significant risk to national security and critical infrastructure. Software assurance helps to identify and mitigate these threats by ensuring that software is designed and developed with security in mind and that vulnerabilities are identified and fixed before they can be exploited. By doing so, software assurance helps to protect against the theft of sensitive information, disruption of critical services, and other forms of malicious activity that could compromise national security.
3. Software Assurance Supports National Security Decision-Making and Critical Infrastructure Resilience. National security decision-makers rely on accurate and reliable information to make informed decisions. Software assurance ensures that software systems are reliable, precise, and trustworthy, providing decision-makers with the confidence they need to make informed decisions. Additionally, software assurance helps to ensure that critical infrastructure can quickly recover and resume operations in the event of a disruption or attack, reducing the risk of prolonged outages and disruptions that could compromise national security. By supporting national security decision-making and critical infrastructure resilience, software assurance plays a crucial role in protecting national security and promoting national interests.

#opensourcesoftware #softwareassurance #systemssecurityengineering #securebydesign

Pete Tseronis is the Founder and CEO of Dots and Bridges LLC,?a two-time Cabinet-level CTO, a Villanova University and Johns Hopkins University Alumnus, a Forbes Business Council Member, and a Bourbon Steward.