The term “software assurance” is often used interchangeably with the term “software security” to refer to the practices of avoiding and detecting unintentional vulnerabilities during the software development process.
In a report published on July 29th, 2009 and entitled “The Software Supply Chain Integrity Framework – Defining Risks and Responsibilities for Securing Software in the Global Supply Chain”, SAFECode, The Software Assurance Forum for Excellence in Code, clearly differentiates software assurance from software security. It defines software assurance as the combination of:
- software security (i.e. the practices of avoiding and detecting unintentional vulnerabilities during the software development process),
- software authenticity (i.e. the ability for customers to confirm that software is not counterfeit) and,
- software integrity (i.e. the software functions as the supplier intended with no malicious software intentionally inserted at a point in the software supply chain).
The industry has broadly communicated on defining and implementing a security development lifecycle process that produces secure software. The SAFECode report outlines additional steps that SAFECode members are taking to insert integrity controls in their product development process and in their broader software supply chain management.
While addressing software security means giving a primary focus on software engineering practices, addressing software integrity requires a much broader spectrum of processes and policies beyond software development:
- Procurement and supplier sourcing
- Source code and IT environment control
- Personnel policies
- Software distribution and maintenance
However, a tight and secure software development process is the key to ensure that these controls are in place throughout the organization.
I encourage all of you to read and download the SAFECode report and to review the software supply chain integrity framework in the context of your organization.