24 May 2011

Secure Software Engineering Initiatives

The European Network and information Security Agency (ENISA) has published a summary of Secure Software Engineering (SSE) Initiatives.

The contents page from ENISA's report on Secure Software Engineering (SSE) Initiatives, listing EXECUTIVE SUMMARY, 1. INTERNATIONAL SSE INITIATIVES, 1.1. Open Web Application Security Project (OWASP), 1.2. Common Criteria (CC), 1.3. IEEE Computer Society (CS), 1.4. International Organisation for Standardisation (ISO), 1.5. International Society of Automation (ISA), 1.6. Software Assurance Forum for Excellence in Code, (SAFECode), 1.7. SANS Software Security Institute (SSI), 1.8. Web Application Security Consortium (WASC), 1.9. Institute for Software Quality (IfSQ), 1.10. Mobile Device-Oriented, 1.11. Life Cycle and Maturity Models, 1.12. Events and Periodicals, 1.13. Certification, 1.14. Training Courses, 2. EUROPEAN SSE INITIATIVES, 2.1. Networked European Software and Services Initiative (NESSI), 2.2. OWASP Local Chapters, 2.3. Motor Industry Software Reliability Association (MISRA), 2.4. European Space Agency (ESA), 2.5. Serenity Forum, 2.6. Events and Periodicals, 2.7. Certifications, 2.8. Academic Education, 3. SSE INITIATIVES IN THE US, 3.1. CERT Secure Coding, 3.2. Build Security In, 3.3. Software Assurance Metrics and Tool Evaluation (SAMATE), 3.4. Common Weakness Enumeration (CWE), 3.5. Common Attack Pattern Enumeration and Classification (CAPEC)

The report has compiled a list of existing Secure Software Engineering initiatives focused on finding and preventing software vulnerabilities. This is a first step in addressing the problem of software vulnerabilities by ENISA which it sees as a growing problem in cyber security. The report lists 80 initiatives in the areas of:

  • Requirements engineering
  • Procurement criteria for secure software
  • Risk-based development
  • Security in agile methods
  • Policy frameworks for web access control
  • Security testing methodologies and code reviewing
  • Patch and update management

This will be a very useful reference point for other agencies, and for anyone involved with building security into the software development life cycle (secure SDLC). If anything is missing, ENISA would like to know. The report notes they found no government-driven SEE initiatives in the EU.

The project's manager Vangelis Stavropoulos and other ENISA representatives are holding a special workshop session Global Secure Software Initiatives - Beyond Awareness with OWASP to talk about this initiative with industry professionals at AppSec Europe 2011 on Thursday June 9th at Trinity College, Dublin. The session will focus on how to acheive the implementation of existing secure software development knowledge, and the role that governments can play in supporting these activities.

Also, at AppSec EU this year, the OWASP Global Industry Committee is hosting three outreach sessions on Friday the 10th of June. Nishi Kumar will be presenting "Security for Managers and Executives" to highlight the OWASP documentation, training, architecture, tools and infrastructure is available. Rex Booth will be discussing, and seeking feedback on, the upcoming "CISO Survey" to maximise the benefit to CISOs and their peers. Joe Bernik with Sarah Baso are holding an "Industry Outreach Roundtable" which will be a forum to discuss how OWASP can give value to all industry sectors, what the impediments are and what could be changed to help.

Posted on: 24 May 2011 at 08:30 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

SOFTWARE SECURITY ASSURANCE - a far more extensive survey of global SSE initiatives - has been available for the past three years from the U.S. Defense Technical Information Center's Information Assurance Technology Analysis Center and Data and Analysis Center for Software. Indeed, it's hard to believe that the ENISA researchers did NOT at least review SOFTWARE SECURITY ASSURANCE when compiling their own report. However, as they do not appear to have included ANY references, it's difficult to say whether they simply referred to the report without feeling the need to acknowledge using it, or if they truly did all their own research from scratch (e.g., using Google), or if they just aren't in the practice of citing their references.

http://iac.dtic.mil/iatac/download/security.pdf
1 Added by K.M. Goertzel Posted on 20 June 2011 at 15:30 hrs
That is indeed a good source.
2 Added by Clerkendweller Posted on 21 June 2011 at 21:16 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Secure Software Engineering Initiatives
http://www.clerkendweller.com/2011/5/24/Secure-Software-Engineering-Initiatives
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/5/24/Secure-Software-Engineering-Initiatives
Requested by 38.107.179.223 on Thursday, 17 May 2012 at 23:05 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2012 clerkendweller.com