It is estimated that 90 percent of reported security incidents result from exploits against defects in the design or code of software. Therefore, ensuring the integrity of software is key to protecting the infrastructure from threats and vulnerabilities, and reducing overall risk to cyber attacks. In order to ensure system reliability, integrity, and safety, it is critical to include provisions for built-in security of the enabling software.

Grounded in the National Strategy to Secure Cyberspace, The Department of Homeland Security's Software Assurance Program spearheads the development of practical guidance and tools and promotes research and development of secure software engineering, examining a range of development issues from new methods that avoid basic programming errors, to enterprise systems that remain secure when portions of the system software are compromised.

Through collaborative software assurance efforts, stakeholders seek to reduce software vulnerabilities, minimize exploitation, and address ways to improve the routine development and deployment of trustworthy software products. Together, these activities will enable more secure and reliable software that supports mission requirements across enterprises and the critical infrastructure.

As a strategic initiative of the DHS National Cyber Security Division, the key objective of the Software Assurance Program is to shift the security paradigm from patch management to software assurance. This shift is designed to encourage software developers to raise overall software quality and security from the start, rather than relying on applying patches to systems after vulnerabilities are discovered. It starts with secure software engineering to “build security in.”

Recognizing that software security must be addressed in a systematic way throughout the software development life cycle, the Software Assurance Program encourages all software developers, from the public sector and private industry, to raise the standard on software quality and security. Together, government, industry, and academia will raise expectations for product assurance with requisite levels of integrity and security, by promoting security methodologies and tools as a normal part of business.

Public-private partnerships form the foundation of the Software Assurance Program. By partnering with the private sector, academia, and other federal departments and agencies, the Software Assurance Program can improve software development, quality assurance, and acquisition processes, leading to the production of higher quality, more secure software. Through Homeland Security's sponsorship of conferences and workshops, a common body of knowledge and a repository of practical guidance for software developers and architects are being produced to improve the quality, reliability, and dependability of software.

In collaboration with industry, academia, and government partners, the DHS National Cyber Security Division's approach to addressing software assurance encompasses the following components:

• People - Education and training for developers and users.
• Processes - Practical guidelines and best practices for the development of secure software.
• Technology - Tools for evaluating software vulnerabilities and quality.
• Acquisition - Specifications and guidelines for acquisition and outsourcing.

• Acquisition
• Business Case
• Tools, Technology, & Product Evaluation
• Processes & Practices
• Malware
• Measurement
• Workforce Education & Training

To learn more about the DHS Software Assurance Program, visit the Software Assurance website.

An additional resource for developers and educators is Build Security In.

Cyber security is a shared responsibility. Working together, we can secure America's cyberspace.