Visible to the public Software Assurance

SoS Newsletter- Advanced Book Block

Software Assurance

The 2005 Department of Defense initiative to promote software assurance defines the term as "the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software." The Department of Homeland Security has a companion strategic initiative to promote integrity, security, and reliability in software. Research into software assurance cited here includes testing, verification and validation, metrics, and test planning.

  • Cadar, C.; Dadeau, F., "Constraints in Software Testing, Verification and Analysis CSTVA'2013," Software Testing, Verification and Validation Workshops (ICSTW), 2013 IEEE Sixth International Conference on , vol., no., pp.208,209, 18-22 March 2013. (ID#:14-1197) Available at: Recent years have seen an increasing interest in the application of constraint solving techniques to test, verify and analyze software systems. Constraint-based techniques are proposed and investigated in the context of test input generation, model-based testing, symbolic execution, static analysis, program verification, and many other areas. These techniques use or extend constraint solvers such as SAT and SMT solvers to reason about Boolean, integer, real and floating-point data types, as well as complex data structures, control structures, method calls and other program features. The constraint systems that result from this work usually share many common features and are relevant to a variety of application domains. Following a first meeting held with the Principles and Practice of Constraint Programming (CP) conference in 2006, and three subsequent meetings at the International Conference on Software Testing, Verification and Validation (ICST) in 2010, 2011 and 2012, the aim of this paper is to bring together researchers and practitioners working in constraint-based software testing, verification and analysis, to investigate future developments in this research field.
  • "Lessons learned and challenges of developing the NATO air command and control information services," Aker, S.; Audin, C.; Lindy, E.; Marcelli, L.; Massart, J.-P.; Okur, Y., Systems Conference (SysCon), 2013 IEEE International , vol., no., pp.791,800, 15-18 April 2013. (ID#:14-1198) Available at: The North Atlantic Treaty Organization (NATO) Communications and Information (NCI) Agency is responsible for procuring and maintaining systems that are aligned with NATO Alliance operational requirements and national agreements, and are interoperable, when appropriate, with national systems. In the current NATO environment, long lead items, such as obtaining nationally agreed to capability packages and financial investments, are now leaving less time to engineer complex solutions in a fluctuating financial and mission environment. In addition, NATO is challenged with fielding systems to operational and system administrative users provided by 28 allied nations. This presents challenges with language, data exchange, security issues, and training for users that may rotate back to their nation every three years. This unique NATO environment has forced Project Managers (PMs) and Technical Leads (TLs) to operate with constraints imposed by contracts built around traditional systems engineering waterfall methods. In contrast, system lifecycle short timelines demand engineering solutions using agile methods supported by iterative, user validation of the system fit for purpose and usability with regard to changing peace-time and war-time missions (International Security Assistance Force (ISAF), Libyan Operation Unified Protector (OUP), etc.). The NCI Agency will be fielding a new Air C2 information service (AirC2IS) in 2013. This system, AirC2IS, was partially installed for initial system validation 21 months after contract award and will be fielded to over 20 NATO sites 35 months after contract award. The system will replace an interim capability and offer a vast array of software functionalities, using a web-based design, including, but not limited to, air track management, shared early warning, air planning, theatre ballistic missile defense planning and monitoring, and collaborative tool integration. The system capabilities are being procured by NCI Agency and developed- by an industry partner. The AirC2IS design phase utilized a Human Machine Interface (HMI) driven approach and the development phase an agile methodology with user validation of functionalities before formal testing. The overall systems engineering approach was tailored to reduce risks of system non-acceptance and ensure high usability and software fit for purpose, matching user requirements. This paper will present lessons learned in the procurement, development, and fielding of AirC2IS in the following areas: Project management of agile development in a traditional waterfall contract environment; Agile software development with a HMI driven approach; and Validation of systems optimizing mission flexibility.
  • "Visualization of Software Assurance Information," Feather, Martin S.; Wilf, Joel M., System Sciences (HICSS), 2013 46th Hawaii International Conference on , vol., no., pp.4948,4956, 7-10 Jan. 2013. (ID#:14-1199) Available at: During the conduct of Software Assurance on a software development project, data is gathered on both the software being developed, and the development processes being followed. It is from this information that Software Assurance derives insights into the quality of the software itself and the efficacy of the development process. For large software developments such data can be voluminous, making deriving and conveying insights challenging. This motivates our ongoing efforts to apply information visualization techniques to software assurance data. While visualization techniques have long been applied to software itself, the application to software development processes and the data they yield is relatively novel. We report on several such applications and the insights they revealed. We offer some suggestions for the further investigation of information visualization techniques applied to assurance data.
  • "1st International workshop on assurance cases for software-intensive systems (ASSURE 2013)," Denney, Ewen; Pai, Ganesh; Habli, Ibrahim; Kelly, Tim; Knight, John, Software Engineering (ICSE), 2013 35th International Conference on , vol., no., pp.1505,1506, 18-26 May 2013. (ID#:14-1200) Available at: Software plays a key role in high-risk systems, i.e., safety and security-critical systems. Several certification standards and guidelines, e.g., in the defense, transportation (aviation, automotive, rail), and healthcare domains, now recommend and/or mandate the development of assurance cases for software-intensive systems. As such, there is a need to understand and evaluate (a) the application of assurance cases to software, and (b) the relationship between the development and assessment of assurance cases, and software engineering concepts, processes and techniques. The ICSE 2013 Workshop on Assurance Cases for Software-intensive Systems (ASSURE) aims to provide an international forum for high-quality contributions (research, practice, and position papers) on the application of assurance case principles and techniques for software assurance, and on the treatment of assurance cases as artifacts to which the full range of software engineering techniques can be applied.
  • "Formalization of Measure Theory and Lebesgue Integration for Probabilistic Analysis in HOL". Mhamdi, Tarek and Hasan, Osman and Tahar, Sofiene (2013ACM Transactions on Embedded Computing Systems, 12 (1). pp. 1-23. (ID#:14-1201) Available at:
  • "Theory in Practice for System Design and Verification" Rajeev Alur, Thomas A. Henzinger, and Moshe Y. Vardi. N.p. 2014. (ID#:14-1203) Available at: The authors address the impact of advances in design automation for hardware, software, and embedded systems.
  • "A Verified Information-Flow Architecture" Arthur Azevedo de Amorim, Nathan Collins, Andre DeHon, Delphine Demange, Catalin Hritcu, David Pichardie, Benjamin C. Pierce, Randy Pollack, and Andrew Tolmach. Proceedings of the 41st Symposium on Principles of Programming Languages, POPL, January 2014. (ID#:14-1204) Available at: The authors present a formal, machine-checked model of selected hardware and software elements that control information flow in SAFE.
  • "System regression test planning with a fuzzy expert system". Zhiwei Xu; Kehan Gao; Taghi M. Khoshgoftaar; Naeem Seliya. Information Sciences. 2014;259:532-543. (ID#:14-1206) Available at: (fee required) The authors propose the use of fuzzy systems to offset the problem of test case selection in the absence of source code analysis.
  • "CILogon: A Federated X.509 Certification Authority for CyberInfrastructure Logon," Jim Basney, Terry Fleury, and Jeff Gaynor . XSEDE Conference, July 2013, San Diego, CA. (ID#:14-1207) Available at: (fee required) This article presents the CILogon service and what has been learned during the first three years of its operation.
  • "Comparing Approaches to Analyze Refactoring Activity on Software Repositories". Gustavo Soares, Rohit Gheyi, Emerson Murphy-Hill, and Brittany Johnson. Journal of Systems and Software, 2013. (ID#:14-1209) Available at:


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.