Mapping the Software Assurance Landscape:

A Guide to What’s Going On In the Community

Sean Barnum

2 © 2006 Cigital Inc. All Rights Reserved.

So Tell Us About What’s Going On in SwA

3 © 2006 Cigital Inc. All Rights Reserved.

Software Assurance Landscape Paper

The landscape paper is intended to: Draw a somewhat broad picture of the organizations and efforts of the software assurance

landscape Identify and describe various knowledge resources being developed and made available by these

efforts Describe and explore how many of these efforts and knowledge resources are actually mutually

supportive, well aligned, and complimentary Identify gaps and opportunities in the current landscape

Structure Intro & Purpose of Landscape Brief overview and scoping of “Software Assurance” Software Assurance State of the Art/Practice Summary Software Assurance Landscape Index Software Assurance Domain Summaries Graphical Representations of Landscape Software Assurance Knowledge, Activities and Initiatives Targeted Capabilities Software Assurance Roadmap

4 © 2006 Cigital Inc. All Rights Reserved.

Landscape Index

Objective: Present full list of organizations, activities and knowledge in an organized taxonomy to more easily identify items of interest

Key Domains Communities & Leadership

Developing and Maintaining Software-based Systems

Operation and Maintenance of Systems and Networks

Evaluating, Certifying, Reviewing, and Monitoring Compliance of Software-base Systems

Formalization and Enabling Technologies for Implementing Security Guidelines and Specifications

Research & Development (R&D)

Education

Acquisition & Marketing

Forums, Conferences, Colloquia, Working Groups, etc.

5 © 2006 Cigital Inc. All Rights Reserved.

Domain Summaries & Graphical Representations

Domain Summaries Objective: Prose descriptions of each organization, activity and knowledge

resource along with explanations of the relationships between them

A good place to start

Graphical Representations Objective: Present single picture overviews of the interrelationships

between elements of a given type

Currently complete: Knowledge To be created: Organizations & Activities

6 © 2006 Cigital Inc. All Rights Reserved.

SwA Efforts in Context

7 © 2006 Cigital Inc. All Rights Reserved.

Software Assurance Knowledge, Activities and Initiatives

Enumerated list of all of the identified organizations, activities and knowledge

Each entry includes: A very brief description of the element Links and references to where you can go to learn more Who is sponsoring or leading Eventually, descriptions of how this element is related to other

elements in the enumeration

8 © 2006 Cigital Inc. All Rights Reserved.

Targeted Capabilities & SwA Roadmap

Targeted Capabilities outlines capabilities that the SwA community seeks to achieve with the elements of the landscape

This listing helps to establish the beginnings of a framework for identifying gaps in the current landscape

SwA Roadmap is intended to link to various specifically actionable roadmaps that may exist for filling identified gaps in the landscape

9 © 2006 Cigital Inc. All Rights Reserved.

Challenges & Future Plans

Challenges How tightly to bound the landscape to software assurance

Requires many different perspectives (noone knows it all)

Gathering adequate details on such a large number and wide variety of organizations, activities and knowledge

Keeping landscape current

Future Plans Continue to flesh out and revise current content

Identify new content and expand

Eventually deploy as a website

10 © 2006 Cigital Inc. All Rights Reserved.

Opportunities for Involvement

Need your assistance with identifying other relevant topics of interest

Need your assistance with identifying other relevant organizations, activities and knowledge

Need your assistance with descriptive detail for each organization, activity or knowledge entry

Need your perspective on how to make this more valuable

Need your assistance in spreading the word

To get involved, email Sean (sbarnum@cigital.com) or Bob (ramartin@mitre.org)