In the past five years, software assurance has moved from the theoretical to the practical, as more vendors disclose or are required to disclose their secure development practices if they are not actually trying to use these practices as competitive differentiators.
The market shift has been led by critical customer segments as much or more so than by a vendor awakening.
Customers are increasingly focused upon lifecycle security costs in part because unexpected security events have become a large and unpredictable part of organizations' IT budgets. Whether it's providing secure software configurations or disclosing secure development practices, the software landscape for vendors has shifted from "nobody will pay more for better security" to vying in Snow White contests to be the universal response to: "Mirror, Mirror on the wall, who is the most security-minded vendor of all?" Customer demand is changing the marketplace for secure software, a trend that will accelerate through purchasing power or by policies with the effect of regulation.
The US federal government is a significant player in changing the security marketplace. Cost factors are leading to the increasing use of commercial off-the-shelf (COTS) software. In order to feel comfortable using COTS in critical systems, US federal agencies want more transparency regarding how, where and by whom the software they use is developed, in part to better assess risk, of which software security-worthiness is a large component.
A number of US government agencies, including the Department of Defense (DOD), the National Security Agency (NSA), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) are focused on software security. The Department of Homeland Security (DHS), for example, runs a software assurance forum where a broad tent of industry, academia and customers collaborate on better software development practices.
Multiple DHS software assurance working groups have produced materials in areas as diverse as secure development practice, security metrics, acquisition and developer education.
The DHS Software Assurance Acquisition Working Group has recently produced the guide "Software Assurance in Acquisition: Mitigating Risks to the Enterprise" to help US government procurement officers determine how a supplier has built security into its software and to gauge software security risks as part of acquisition instead of assuming unknown and unknowable risks after software is already acquired.
The guide provides a lifecycle approach to acquisition: how to address security during planning, contracting, monitoring and acceptance and follow-on acquisition phases. The guide includes extensive due-diligence questionnaires covering software assurance areas such as architecture and design, software development, testing, manufacturing and packaging in addition to related areas such as security training, whether organizations train and/or certify their developers in secure development practice.