Building Trust in the Security of Software
1 CAN YOU TRUST SOFTWARE 1.1 CAN SOFTWARE BE CERTIFIED SECURE?
News outlets and the trade press report almost daily about breaches of software-intensive systems. Occasionally these tragic events have price tags running into nine digits( denominated in dollars or Euros). For instance, the Equifax data breach in 2017 compromised confidential information on over 147 million Americans, resulting in an up to $ 425 million settlement with the US Department of Commerce( 2019).
Executives want assurance they can trust the security of the software to which they have entrusted their business or mission. In To demonstrate their due diligence in managing this major threat to the operational and financial health of the enterprise, many executives would prefer some form of certification that their business- or mission-critical systems are secure.
A certification cannot guarantee that a software system is without defect. Even if it could, the certification would be invalid after the next patch to the software. At best it implies one or more of the following, that:
1. The software has been produced and verified with appropriate professional discipline, 2. By competent software professionals skilled in applying software engineering disciplines, and 3. The software product is free of obvious defects that would create unacceptable operational or financial risks.
This article will discuss three approaches to certification that can be used to argue an organization is performing due diligence in trying to ensure the security of its software systems.
1.2 SOME HELP: ISO 5055:2021
OMG’ s Automated Source Code Quality Measures standard 1( formal / 22-07-21) has been adopted by ISO as a Publicly Available Standard( ISO / IEC 5055:2021 [ 10 ]). It contains measures for Security, Reliability, Performance Efficiency, and Maintainability computed from detecting and counting severe weaknesses in the source code of a software system. The weaknesses were selected by a workgroup of 75 experts from numerous companies in North America, Europe, and Asia. The Security measure contains 73 weaknesses, all of which are included in the Common Weakness Enumeration Repository( see Annex A). These weaknesses were selected because they were considered severe enough in their consequences that they should be prioritized for removal from a software system.
1 https:// www. omg. org / spec / ASCQM / 1.1 / About-ASCQM
Journal of Innovation 3