Accession Number:

AD1103836

Title:

Securely Using Software Assurance (SwA) Tools in the Software Development Environment

Descriptive Note:

Technical Report

Corporate Author:

Institute for Defense Analyses Alexandria United States

Report Date:

2018-07-02

Pagination or Media Count:

98.0

Abstract:

Software assurance SwA may be defined as the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. Since modern systems are under constant attack, sufficient SwA is vital. In practice, a suite of SwA tools is necessary to help achieve this. However, there are potential challenges to securely using a suite of SwA tools. Software development environments SDEs are increasingly under focused attack, since subverting software during development can be easier than subverting it after it is deployed. One mechanism for subverting SDEs is to exploit vulnerabilities in its tools or to provide maliciously subverted tools to an SDE. The goal of this paper is to help ease the deployment of SwA tools, by countering potential objections to using them. To achieve this, we discuss how to protect against potential supply chain risks of SwA tools themselves, including how to protect the SDE in general against supply chain risks and how the mechanisms to counter SwA tool risks fit into the SDE. We show that it is possible to modify SDE practices to use a wide variety of SwA tools and still manage the inherent risks. Isolation mechanisms can be used, for example, to separate tools and restrict access for specific tasks. This approach can be automated and may reduce risk in a relatively uncomplicated manner. In particular, the medium protection approach discussed here should be easy to incorporate in existing SDEs. We recommend that organizations fully embrace the use of many SwA tools when developing software. Where appropriate, they should consider taking the additional steps discussed here if they determine that the risks of using SwA tools are otherwise too high. Our hope is that this information will lead to the widespread safe use of suites of SwA tools.

Subject Categories:

  • Computer Programming and Software
  • Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE