DoD Developer’s Guidebook for Software Assurance

DoD Developer's Guidebook for Software Assurance

Dr. William R. Nichols, Jr. Dr. Thomas Scanlon December 2018 SPECIAL REPORT CMU/SEI-2018-SR-013 Software Solutions and CERT Divisions [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

REV-03.18.2016.0

Copyright 2018 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100 NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. * These restrictions do not apply to U.S. government entities. DM18-1005

CMU/SEI-2018-SR-013 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Table of Contents

Executive Summary

v

Abstract

vii

1 Introduction

1

1.1 Using This Guidebook

1

1.2 Defining Software Assurance

1

1.3 DoD Software Assurance Requirements

2

1.4 Software Assurance Resources

2

2 Software Assurance Concepts

3

2.1 Overview of Security Attributes and Exploits

3

2.2 Principles of Software Assurance

3

2.3 Lifecycle Assurance

5

2.3.1 Lifecycle Stages and Processes

5

2.3.2 Lifecycle Assurance Resources

8

2.4 Secure Practices Across the Lifecycle

8

2.4.1 Lifecycle Costs for Software Assurance

9

3 Quick-Start Guide to Assurance, by Lifecycle Phase

13

3.1 Stakeholder Requirements Definition

13

3.2 Requirements Analysis

14

3.3 Architectural Design

14

3.4 Implementation

14

3.5 Integration

15

3.5.1 If Source Code Is Available

15

3.5.2 If Source Code Is Not Available

16

3.6 Verification Process

16

3.7 Transition Process

17

3.7.1 If Developers Perform the Transition

17

3.7.2 If Developers Do Not Perform the Transition

17

3.8 Validation Process

17

3.9 Operation Process

18

3.10 Maintenance Process

18

3.11 Communicating Software Security Assurance

19

4 Measuring Software Assurance

21

4.1 Software Security Measurement

22

4.2 Short List of Basic Security Metrics

23

4.2.1 Product Metrics

23

4.2.2 Responsiveness

24

4.2.3 Process Effort Metrics

24

4.2.4 Effectiveness

24

4.2.5 Test Metrics

24

4.3 Measurement Resources

25

5 Guide to the State-of-the-Art Report (SOAR)

26

5.1 Chapter Summaries

26

5.2 The SOAR Tool Selection Process: A Top-Down Approach

31

5.2.1 Overview

31

5.2.2 How to Implement the SOAR Process

31

CMU/SEI-2018-SR-013 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY

i

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

5.2.3 Steps for Selecting Tools

33

6 Building a Secure Development Process: A Bottom-Up Approach

36

6.1 Contextual Factors

36

6.2 General Recommendations

37

6.3 The Selection Process

40

6.3.1 Select Development-Stage-Specific Tools

41

6.3.2 Special Lifecycle Considerations

48

6.4 Getting Started with Secure Development

50

6.4.1 Tool Type Factors Summary

53

6.4.2 Considerations for Selecting Specific Tools

53

7 Analyzing and Responding to Software Assurance Findings

54

7.1 Introduction to Risk

54

7.2 The Mission Thread

54

7.3 CONOPS

54

7.4 Risk Analysis

55

7.5 Controlling the Risk

56

8 Software Assurance During Sustainment

57

8.1 Preparing for Sustainment

57

8.2 Steps for Assurance in Sustainment

57

8.3 Evolving the Threat Model

59

8.3.1 Finding and Fixing Vulnerabilities

59

8.3.2 Tool Considerations in Sustainment

59

8.3.3 Maintaining the Processes from Development

59

9 Software Assurance Considerations for Acquisition

60

9.1 Security Requirements in Acquisition

60

9.2 Development Tools and Techniques

60

9.3 Origin Analysis Tools

60

9.4 Verification and Validation Tools

61

9.5 Addressing Vulnerabilities, Defects, and Failures

61

9.6 Additional Acquisition Resources

61

Appendix A: Regulatory Background

62

Appendix B: Resources

65

Appendix C: Tools, Techniques, and Countermeasures Throughout the Lifecycle

67

Appendix D: Technical Objectives

70

Appendix E: Tool Type Summary

79

Appendix F: Project Context Questionnaire

80

Appendix G: Acronyms and Abbreviations

90

Appendix H: Glossary

92

References

94

CMU/SEI-2018-SR-013 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY

ii

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

List of Figures

Figure 1: DoD Lifecycle Stages

5

Figure 2: Software Assurance Practices Applied Throughout the Development Lifecycle

6

Figure 3: Cyclic View of the Software Development Cycle

7

Figure 4: Example of Overlapping Vulnerabilities and Defects

9

Figure 5: Security and Safety-Critical Defect Density vs. Overall Defect Density

10

Figure 6: Ratios of Vulnerability Density to Overall Defect Density

11

Figure 7: Tank and Filter Injection and Removal Mode

11

Figure 8: Total Cost of Defect Removal Across Development Phases

12

Figure 9: Venn Diagram of Verification and Validation Activities

16

Figure 10: Software Assurance for DoD Systems

32

Figure 11: Layers of Security

38

Figure 12: Conceptual View ? Software Assurance Mission Success

55

CMU/SEI-2018-SR-013 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY

iii

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download