And lastly, I mention the workshop at Carnegie Mellon, with the title of “Making the Business Case for Software Assurance.” I was asked to talk on software assurance and global outsourcing, which brings together two of my favorite topics. While I didn’t present, I did prepare a summary and a presentation. The former is on page 46 of the Proceedings posted to
https://buildsecurityin.us-cert.gov/swa/downloads/BCW_Proceedings.pdf
In my opinion, there are a number of combinations to consider:
• In-house assurance of externally developed software
• Outsourced assurance of internally developed software
• Outsourced assurance of externally developed software
Each has its own benefits and liabilities. There is a good case for keeping software assurance in-house, if you have the appropriate skills available, in order to verify the security of all critical software, wherever it might have been developed. However, without the necessary internal expertise, one should seek competent third-party specialists to perform the function. It is a good idea to have different vendors develop and assure your various applications to avoid bias as well as to see who actually does a better job.
So all in all we are seeing a continuing increase in interest in software security, which is all to the good. It is a critical area that has been neglected for too long.
Popularity: 4%
