“NASA Secure Software Engineering Portal,” a Software Assurance Research Program (SARP) project, intends to develop an online portal to provide user-friendly access to security-related software development knowledge. SARP — hosted by NASA’s Independent Verification and Validation (IV&V) Program — is sponsoring five research projects in Fiscal Year 2020 aimed to benefit Software Assurance (SA) processes across the agency.

Project Goals

The NASA Secure Software Engineering Portal (SSEP) is an online resource that provides a one-stop-shop site for knowledge about software security threats and weaknesses, as well as guidance for selecting and using Software Engineering and security-related practices such as methods, techniques, tools, processes and personnel-related measures. This portal is being built by NASA Goddard Space Flight Center and tested by NASA security professionals and will be available to all NASA software practitioners at all centers and facilities.

Within this portal, users can

• Browse and search in a library that contains multimedia material, organized by life cycle activities. This content is delivered in a user-friendly and intuitive way so that users can easily find topics with detailed information, related material curated for NASA projects and links to external sites for additional research.
• Find threats and weaknesses, recommended practices, and tools, relevant to a specific role and project context, with the help of the assistant app. This app is built on a relational database whose content and queries are extensible for future evolution.
• Access a forum that facilitates discussions and direct knowledge sharing within the community across NASA. At the moment, this is implemented as a Microsoft Office 365 Teams channel.

SSEP’s content will grow organically, driven by its usage and users’ needs. The portal will promote education and communication and help create a cyber-security culture at NASA. SSEP can become a vital resource for software developers, managers and assurance providers and help them build-in security throughout the software life cycle.

Project Background

The sophistication of cyber-attacks and the risk they pose to NASA missions and systems has continuously increased. Attackers can exploit vulnerable software and cause loss of valuable assets, such as scientific data, loss of spacecraft or instrument control, use of mission in unexpected and undesired ways, or even mission and life critical safety incidents.

Since NASA systems are software intensive, software security is a rapidly increasing challenge for software developers, testers, managers and SA providers. Software security is everybody’s responsibility, and building in software security is imperative throughout the entire life cycle.

Recognizing this need, NASA  started adding security-related rules and requirements to standards, policies and guidance documents, such as NPR 7150.2, NASA Software Engineering Requirements and the new version of NASA-STD-8739.8, Software Assurance and Software Safety Standard.

In addition to these requirements, practitioners need more concrete guidance, information and support for understanding security risks and adopting effective and efficient countermeasures in their projects. The approach to software security varies depending on factors such as the software domain (flight, ground, data science or Information Technology), language and environment in which the software is developed, the platform on which it operates or the system in which it is embedded, reuse of previously developed software, tools and practices used for software development, and assurance.

Information related to software security is abundantly available online, but typical searches return information that is not relevant or directly and efficiently applicable to NASA systems and projects.

For more information on this project, contact Ioana Rus, Alexander Durkin and Pam Pittman, Goddard Space Flight Center.

SARP Background

SARP is aligned to support discipline goals to improve how NASA performs SA activities. The research program is designed to provide NASA with greater knowledge about the SA practices, methods and tools needed to produce safe and reliable software.

SARP is designed to address fundamental SA problems in the field of Software Engineering, primarily as it relates to software safety, quality, IV&V, testability and reliability. It is intended to develop and transfer into practice SA technologies, methods and tools to support and improve the quality of the software produced by and for NASA, and to assist the agency in continuing its leadership in the development of safe, reliable and cost-effective software. Thus, by sponsoring forward-thinking research as well as addressing current needs, SARP helps assure that sufficient and appropriate software risk mitigation is applied to the software that controls and monitors NASA’s systems.