CWE/SANS TOP 25 Most Dangerous Programming Errors

This report seeks to identify the Top 25 Most Dangerous Programming Errors. The Department of Homeland Security and the National Security Agency funded it in an effort to educate programmers. It was managed by MITRE and the SANS Institute and the major errors were divided into three categories: the Insecure Interaction between Components, the Risky Resource Management, and the Porous Defenses.

http://www.sans.org/top25errors/

Build Security in Maturity Model (BSIMM)

The Build Security In Maturity Model (BSIMM) is a set of software security activities identified in a survey of the software security initiatives of nine companies. The activities were grouped into a Software Security Framework, which can be used as a yardstick for other organizations to assess their software security measures. The report was released on March 4, 2009.

http://www.bsi-mm.com/

Consensus Audit Guidelines

This report identifies 20 specific security controls that are essential for blocking known high-priority attacks. A consortium of federal agencies and private organizations identified that the first 15 controls could be monitored automatically and continuously while the last five needed to be monitored manually. It is also important to note that Critical Control number seven addressed the Application Software Security.

http://www.sans.org/cag/guidelines.php

CSIS Report on “Securing Cyberspace for the 44th Presidency”

This report outlined the three major findings on Cybersecurity for the 44th President of the United States. The report stated that Cybersecurity is one of the major national security problems facing the United States, the decisions and actions must respect American values related to privacy and civil liberties, and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation. The commission also recommends that the president work with industry to develop and implement security guidelines for the procurement of IT products with software as the top priority.

http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/

Software Security Assurance: State-of-the-Art-Report, Information Assurance Technology Analysis Center (IATAC) and Data Analysis Center for Software (DACS), July 31, 2007

This report identifies the current "state-of-the-art" in software security assurance. The document, a joint collaboration between the Department of Defense's Information Assurance Technology Analysis Center and Data Analysis Center for Software, provides an overview of current and emerging activities and organizations involved in promoting various aspects of software security assurance and describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying secure software.

http://iac.dtic.mil/iatac/download/security.pdf

James Lewis, Foreign Influence on Software: Risks and Recourse, CSIS Report, March 2007

The report examines the risks associated with global software supply chain and provides recommendations on how to mitigate these risks.

http://www.csis.org/index.php?option=com_csis_pubs&task=view&id=3772
James Lewis Report

Processes to Produce Secure Software: Towards More Secure Software, National Cyber Security Summit, March 2004.

The report is a product of the Software Process Subgroup of the Security-across-the-Software-Development-Lifecycle Task Force of the National Cyber Security Summit. The report defines a path for software producers to follow in producing secure software and it includes recommendations to software producing organizations, educators, and the Department of Homeland Security (DHS) on how to motivate and aid software producers in following these recommendations.

http://www.cigital.com/papers/download/secure_software_process.pdf

Software for Dependable Systems: Sufficient Evidence? Committee on Certifiably Dependable Software Systems, National Research Council, 2007.

This report examines how software and the systems that rely on it can be made dependable in a cost-effective manner, and how assurance that dependability has been achieved can be obtained. The focus of the report is a set of fundamental principles that underlie software system dependability and that suggest a different approach to the development and assessment of dependable software.

http://books.nap.edu/catalog.php?record_id=11923#toc

Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks, GAO Report to Congressional Requesters, May 2004.

This study by the Government Accountability Office concludes that DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software. To address this problem, GAO recommends that DOD better define software security requirements and require program managers to mitigate associated risks accordingly.

http://www.gao.gov/new.items/d04678.pdf

House of Lords Science and Technology Committee on Personal Internet Security

This report argues that governments must do more provide incentives to information and communications technology vendors to do more to promote personal security on the internet. Recommendations urge government action to create "a flexible mix of incentives, regulation, and direct investment to galvanize the key stakeholders."

http://www.parliament.uk/parliamentary_committees/lords_s_t_select/internet.cfm

The NDIA Systems Assurance Guidebook Project

This guidebook provides system, software and process guidance to increase the level of assurance across the system lifecycle. The guidebook is built on ISO and IEEE systems lifecycle specifications delivering a prescription for engineers who are seeking specific instruction on the incorporation of security and assurance measures to help manage the criticality of their target system as well as the components that make up the system.

http://www.itaa.org/upload/es/docs/Systems_Assurance_Guidebook_2_Aug_2007.doc