Acquisition Oversight for Software Assurance

Prototype Software Assurance Framework (SAF): Introduction and Overview https://www.sei.cmu.edu/library/prototype-software-assurance-framework-saf-introduction-and-overview/ Software management is too frequently ignored or addressed piecemeal in systems. Cyber threat actors take advantage of gaps and errors in their attacks, which they can accomplish throughout the lifecycle. Exploiting these gaps and errors allows them to compromise processes, practices, and procedures that touch a system’s design, component development, and supply chain to bypass controls and leverage available vulnerabilities. Key software assurance activities must be embedded within the acquisition lifecycle to effectively combat these threat actors. What Will Attendees Learn? • How software assurance can be addressed with limited cost and schedule impact if it is effectively integrated into the acquisition lifecycle • Which knowledge and resources are critical to software assurance and the risks that can be missed if they are underrepresented • Key aspects of managing acquisition and development that are critical to software assurance and why they are important Speakers: Dr. Carol Woody and Michael Bandor @TheSEICMU #sotwareassurance #acquisition #softwareacquisition Introduction to the Software Challenge (0:31-3:00) Invisible Risks in System Acquisition (3:01-11:34) The Four Isolated Swim Lanes (13:16-18:22) Software Assurance Pillar: Requirements (23:53-26:57) Software Assurance Pillar: Development & Supplier Management (26:58-28:07) Software Assurance Pillar: Systems Integration (28:08-29:01) Software Assurance Pillar: Metrics (29:02-30:04) Acquisition Security Framework (32:17-33:16) Mission Thread Analysis & Data Flows (33:17-36:37) Supplier & Product Evaluation (36:38-40:20) Resilience and Testing (Fuzz Testing) (40:21-42:55) Software Bill of Materials (SBOM) & Legacy Systems (46:48-55:46) AI Influence on Software Assurance (55:47-59:46)