Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Build Security In

Build Security In / Software & Supply Chain Assurance content is no longer updated.
The articles are provided here for historical reference.
Suggested resource: https://www.cert.org/cybersecurity-engineering/

Build Security In was a collaborative effort that provided practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development. Software assurance (SwA) is the level of confidence that soft ware is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner.

Best Practices Articles

A significant portion of the BSI effort was devoted to best practices that can provide the biggest return considering current best thinking, available technology, and industry practice.

Topics

Acquisition
Architectural Risk Analysis
Assembly, Integration, and Evolution
Code Analysis
Deployment and Operations
Governance and Management
Incident Management
Insider Threat
Legacy Systems
Measurement
Penetration Testing
Project Management
Requirements Engineering
Risk Management
Security Testing
System Strategies
Training and Awareness
White Box Testing

Knowledge Articles

Software defects with security ramifications, including implementation bugs and design flaws such as buffer overflows and inconsistent error handling, promise to be with us for years. Recurring patterns of software defects leading to vulnerabilities have been identified, and the BSI team documented detailed instructions on how to produce software without these defects.

Topics

Assurance Cases
Attack Patterns
Business Case Models
Coding Practices
Lessons Learned
Principles
SDLC Process
Software Assurance Education

Tools Articles

The BSI site includes an explanation of the following types of tools: Modeling Tools, Source Code Analysis Tools, and Black Box Testing. Descriptions are included of the technologies, how they work, and why they are useful.

Topics

Black Box Testing
Modeling Tools
Penetration Testing Tools
Source Code Analysis

Additional Resources

The BSI site includes an explanation of the following types of tools: Modeling Tools, Source Code Analysis Tools, and Black Box Testing. Descriptions are included of the technologies, how they work, and why they are useful.