Many cyber threats need a weakness to exploit. Typically that weakness is a software flaw in an application that can be exploited to compromise the integrity of a host system and unleash a cyber-attack within a company. In this blog, we'll be covering strategies for implementing specific aspects of "Software Assurance (SwA)*"—the practice of avoiding and reducing software flaws—and how it is essential for effective cybersecurity.

Mature development shops already know that software must be as free from security vulnerabilities as possible. The fewer the number of vulnerabilities, the harder it will be for an attacker to exploit a given application. However, achieving this vulnerability-free goal is exceedingly difficult, maybe even impossible. Even if the developers in your own organization follow top-notch practices, you're still at risk of compromise from an exploited software flaw if you're using outsourced or procured applications. Compounding the risks associated with software vulnerabilities is the fact that applications are becoming more interconnected, and flaws in one application can lead to exploitation of others.

Ask yourself this: Can I be assured that the individuals who wrote the code we rely on followed best practices, were educated in secure coding, had the code reviewed, used proper source code control, and didn't have an off-day at any point throughout the entire development process? Clearly, the answer is "no."

So what can you do? At MITRE we start by training our developers to follow secure software development practices. We offer an Introduction to Secure Coding class in our internal training program. We believe that improving developer awareness of secure coding techniques is the single most effective way to reduce security vulnerabilities.

Additionally, we team SwA subject matter experts with developers to conduct secure code reviews on select high-risk and high-criticality applications to identify potential vulnerabilities before they are released into production environments. These reviews leverage both manual code inspection and automated analysis tools (like those found in NIST's collection of Source Code Security Analyzers) to highlight potential security problems (e.g., the CWE/SANS Top 25 Most Dangerous Software Errors). Secure code reviews are also used at MITRE to develop skills and transfer knowledge of secure coding practices to other coders within the company. Using a "pay it forward" approach, the secure code review team enlists the help of developers outside the project being reviewed to leverage their specific language expertise and, more importantly, to build their own secure coding skills that they can then carry forward to benefit their own development team.

Finally, another way we've improved SwA at MITRE is to tailor our corporate policies to help ensure that the software on our systems meets some desired level of SwA confidence.

In addition to the examples provided above on how to improve your organization's software assurance capability, the Building Security In Maturity Model provides others.

By no means are we going to stop all threats through software assurance, but reducing the attack surface will always be a part of a sound cyber defensive strategy. We can make the job of our cyber defenders a bit easier and that of our cyber adversaries more difficult.

We will offer this series periodically, discussing specific aspects on how to ensure a responsible software assurance practice—including secure code reviews, training developers, and SwA policies—to help you strengthen your cybersecurity posture.

* SwA provides a "level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner." (CNSS 4009 IA Glossary)