Recommendations for Effective Security Assurance of Software-Dependent Systems

Abstract

Assuring the security of software-dependent systems in the face of cyber-attacks and failures is now among the top priorities for governments and providers of electric, financial, communication, and other essential services. Practical and foundational solutions for systematic, secure, and trustworthy system development are needed to support developers, regulators, and certification bodies in providing assurance that security threats faced by the software systems used in these environments have been adequately mitigated. Using recent experiences reported in the literature as a basis, we discuss the challenges of providing security assurance for software-dependent systems. We also explore the barriers to adoption of existing approaches and techniques which can play an important role in security assurance efforts. Ultimately, we present a set of recommendations which outline a collection of follow-on research directions that can advance the state-of-the-art and support the development of more effective security assurance solutions for critical software-dependent systems.