Building Trust in the Security of Software
CONTENTS
1 Can You Trust Software..................................................................................................... 3 |
1.1 |
Can Software be Certified Secure?....................................................................................... 3 |
1.2 |
Some Help: ISO 5055:2021................................................................................................... 3 |
2 Trusting the Process.......................................................................................................... 4 |
2.1 |
Process Standards............................................................................................................... 4 |
2.2 |
Maturity Models................................................................................................................. 6 |
2.3 |
Compliance Syndrome and Culture...................................................................................... 7 |
3 Trusting the Developers.................................................................................................... 8 4 Trusting the Software........................................................................................................ 9 5 Conclusion...................................................................................................................... 11 6 References...................................................................................................................... 11 7 Acknowledgements......................................................................................................... 13 Annex A............................................................................................................................... 13
A. 1 Commmon Weakness Enumeration Repository.................................................................. 13
Annex B............................................................................................................................... 14 |
B. 1 |
Appmarq Repository.......................................................................................................... 14 |
B. 2 |
CRASH Reports.................................................................................................................. 14 |
TABLES
Table 2-1: Opportunities to use ISO / IEC 5055 in the context of NIST’ s Cybersecurity Framework.............. 6 Table 2-2: Maturity level growth to improve the delivery of secure products............................................. 6 Table 4-1: Descriptive statistics for security weaknesses per KLOC by language....................................... 10
Table 4-2: Comparison of security weaknesses per KLOC for differences in shore and source by language.............................................................................................................................................................. 11
2 May 2025