SARP: NASA Secure Software Engineering Portal

SARP: NASA Secure Software Engineering Portal

3-minute read
SSEP

“NASA Secure Software Engineering Portal,” a Software Assurance Research Program (SARP) project, intends to develop an online portal to provide user-friendly access to security-related software development knowledge. SARP — hosted by NASA’s Independent Verification and Validation (IV&V) Program — is sponsoring five research projects in Fiscal Year 2020 aimed to benefit Software Assurance (SA) processes across the agency.

Project Goals

The NASA Secure Software Engineering Portal (SSEP) is an online resource that provides a one-stop-shop site for knowledge about software security threats and weaknesses, as well as guidance for selecting and using Software Engineering and security-related practices such as methods, techniques, tools, processes and personnel-related measures. This portal is being built by NASA Goddard Space Flight Center and tested by NASA security professionals and will be available to all NASA software practitioners at all centers and facilities.

Within this portal, users can

  • Browse and search in a library that contains multimedia material, organized by life cycle activities. This content is delivered in a user-friendly and intuitive way so that users can easily find topics with detailed information, related material curated for NASA projects and links to external sites for additional research.
  • Find threats and weaknesses, recommended practices, and tools, relevant to a specific role and project context, with the help of the assistant app. This app is built on a relational database whose content and queries are extensible for future evolution.
  • Access a forum that facilitates discussions and direct knowledge sharing within the community across NASA. At the moment, this is implemented as a Microsoft Office 365 Teams channel.

SSEP’s content will grow organically, driven by its usage and users’ needs. The portal will promote education and communication and help create a cyber-security culture at NASA. SSEP can become a vital resource for software developers, managers and assurance providers and help them build-in security throughout the software life cycle.

Project Background

The sophistication of cyber-attacks and the risk they pose to NASA missions and systems has continuously increased. Attackers can exploit vulnerable software and cause loss of valuable assets, such as scientific data, loss of spacecraft or instrument control, use of mission in unexpected and undesired ways, or even mission and life critical safety incidents.

Since NASA systems are software intensive, software security is a rapidly increasing challenge for software developers, testers, managers and SA providers. Software security is everybody’s responsibility, and building in software security is imperative throughout the entire life cycle.

Recognizing this need, NASA  started adding security-related rules and requirements to standards, policies and guidance documents, such as NPR 7150.2C, NASA Software Engineering Requirements and the new version of NASA-STD-8739.8, Software Assurance and Software Safety Standard.

In addition to these requirements, practitioners need more concrete guidance, information and support for understanding security risks and adopting effective and efficient countermeasures in their projects. The approach to software security varies depending on factors such as the software domain (flight, ground, data science or Information Technology), language and environment in which the software is developed, the platform on which it operates or the system in which it is embedded, reuse of previously developed software, tools and practices used for software development, and assurance.

Information related to software security is abundantly available online, but typical searches return information that is not relevant or directly and efficiently applicable to NASA systems and projects.

For more information on this project, contact Ioana Rus, Alexander Durkin and Pam Pittman, Goddard Space Flight Center.

SARP Background

SARP is aligned to support discipline goals to improve how NASA performs SA activities. The research program is designed to provide NASA with greater knowledge about the SA practices, methods and tools needed to produce safe and reliable software.

SARP is designed to address fundamental SA problems in the field of Software Engineering, primarily as it relates to software safety, quality, IV&V, testability and reliability. It is intended to develop and transfer into practice SA technologies, methods and tools to support and improve the quality of the software produced by and for NASA, and to assist the agency in continuing its leadership in the development of safe, reliable and cost-effective software. Thus, by sponsoring forward-thinking research as well as addressing current needs, SARP helps assure that sufficient and appropriate software risk mitigation is applied to the software that controls and monitors NASA’s systems.

People

Tim Crumbley

SA Technical Fellow

Learn more about SA Technical Fellow Tim Crumbley.

Read More

Guille del Carmen

Technical Discipline Team Lead

Learn more about SA Technical Discipline Team Lead Guille del Carmen.

Read More

Points of Contact

For details on contacting an SA Point of Contact (PoC), click below.

Find Your PoC

Software Assurance Working Group

The Software Assurance Working Group (SAWG) is a group of Software Assurance (SA) professionals from across NASA who work together to help formulate NASA SA policy, standards, training, guidance, briefings and other needed items. It is also a forum to share experiences, lessons learned and useful techniques. The SAWG provides a community that can provide assistance and support to individual practitioners.

The group meets twice a month (second and fourth Wednesdays), with the second meeting of the month devoted to supporting SA Technical Excellence efforts.

Software Assurance Working Group

Past Events

Event Date Description
4 Types of Peer Reviews
12/15/2021 Webinar covering similarities and differences between the four basic types of peer review  
Software Quality Risk Scoring Workshop Part I 6/8/2021 First day of the virtual Software Quality Risk Scoring Workshop. View Event
Software Quality Risk Scoring Workshop Part II 6/8/2021 First day of the virtual Software Quality Risk Scoring Workshop. View Event
Software Quality Risk Scoring Workshop Part III 6/9/2021 Second day of the virtual Software Quality Risk Scoring Workshop. View Event
Software Quality Risk Scoring Workshop Part IV 6/9/2021 Second day of the virtual Software Quality Risk Scoring Workshop.
View Event

NASA Software Assurance Program Goals

  1. Provide risk-based performance requirements that provide flexibility for the project Software Assurance and Software Safety activities.
  2. Improve the risk, issue and finding reporting from the NASA Software Assurance and Software Safety organizations.
  3. Add value for Software Assurance and Software Safety activities and demonstrate the importance of the NASA Software Assurance activities.
  4. Provide standard tools and services for Software Assurances activities on projects.
  5. Provide measurable Software Assurance process improvement.
  6. Improve the use of data and metrics on all NASA Software Assurance activities.
  7. Focus Software Assurance activities on known software issues, including targeting Software Assurance and Software Safety research activities.
  8. Develop more efficient and automated methods for Software Assurance activities.
  9. Establish a Software Assurance services and tool sharing capability.
  10. Improve Software Assurance training and training requirements in the Safety and Mission Assurance Technical Excellence Program and across the agency.

IV&V Program

NASA’s Independent Verification and Validation (IV&V) Program provides assurance that safety- and mission-critical systems and software will operate reliably, safely and securely. The NASA IV&V Program's primary location is the Katherine Johnson IV&V Facility in Fairmont, West Virginia. The IV&V Program provides the following services:

  • System and Software Assurance: Full life cycle IV&V and independent assessments for NASA’s highest profile missions. IV&V leads to higher quality products, reduced risk, greater insight, reduced cost and knowledge transfer.
  • Safety and Mission Assurance (SMA) Support: Support across the agency, in-line with the development project. Hazard Analysis, Software Assurance plan development, and standards development and evaluation.
  • Mission Protection Services: Vulnerability assessment and authorization, end-to-end full life cycle security risk assessment, FedRAMP 3PAO (cloud) services, security training, and security testing (penetration testing, code analysis and vulnerability scanning).
  • Software Development, Testing and Research: Independent testing, automation and virtualization enabled through IV&V’s Jon McBride Software Testing and Research Laboratory.
IV&V Program

Learning

Launch SATERN My STEP STEP Software Assurance Curriculum Guide 

SATERN Courses

Course Title Course Number Buttons
Intermediate Software Assurance SMA-SA-WBT-201 SMA-SA-WBT-201 Details
Introduction To Software Engineering SMA-SA-WBT-206 SMA-SA-WBT-206 Details
Intermediate Software Testing SMA-SA-WBT-301 SMA-SA-WBT-301 Details
Software Requirements, Development and Management SMA-SA-WBT-303 SMA-SA-WBT-303 Details
Software Safety For Practitioners SMA-SA-WBT-306 SMA-SA-WBT-306 Details
Software Processes and Metrics SMA-SA-WBT-402 SMA-SA-WBT-402 Details

Policy and Guidance

NASA

NASA-STD-8739.8

NASA SOFTWARE ASSURANCE AND SOFTWARE SAFETY STANDARD

The purpose of the Software Assurance and Software Safety Standard is to define the requirements to implement a systematic approach to Software Assurance, software safety, and Independent Verification and Validation (IV&V) for software created, acquired, provided, or maintained by or for NASA. The Software Assurance and Software Safety Standard provides a basis for personnel to perform software assurance, software safety, and IV&V activities consistently throughout the life of the software, that is, from its conception, through creation to operations and maintenance, and until the software is retired.

See NASA-STD-8739.8 

NASA-HDBK-2203

NASA Software Engineering Handbook

This handbook provides users and practitioners with guidance material for implementing the requirements of NPR 7150.2, NASA Software Engineering Requirements and the implementation of the NASA Software Assurance and Software Safety requirements in NASA-STD-8739.8, Software Assurance Standard. The use of this handbook is intended to provide "best-in-class" guidance for the implementation of safe and reliable software in support of NASA projects. The handbook is a key component of an agencywide plan to work toward a continuous and sustained Software Engineering and Software Assurance process and product improvement.

See NASA-HDBK-2203

Additional Guidance

Policy Title Buttons Buttons
NASA-STD-8739.8 NASA Software Assurance Standard NASA-STD-8739.8 Details See NASA-STD-8739.8
NPD 7120.4 NASA Engineering and Program/Project Management Policy NPD-7120-4 Details See NPD 7120.4
NPR 7120.5 NASA Space Flight Program and Project Management Requirements NPR-7120-5 Details See NPR 7120.5
NPR 7123.1 Systems Engineering Processes and Requirements NPR-7123-1 Details See NPR 7123.1
NPR 7150.2 Software Engineering Requirements NPR-7150-2 Details See NPR 7150.2
NASA-GB-8719.13 NASA Software Safety Guidebook NASA-GB-8719-13 Details See NASA-GB-8719.13
NASA-STD-8739.9 NASA Software Formal Inspections Standard NASA-STD-8739-9 Details See NASA-STD-8739.9
NASA-HDBK-8739.23 Complex Electronics Handbook for Assurance Professionals NASA-HDBK-8739.23 Details See NASA-HDBK-8739.23
SSP 50038 Computer-Based Control System Safety Requirements SSP 50038 Details See SSP 50038

SARP

Software Assurance Research Program

The Software Assurance Research Program (SARP) — hosted by NASA’s Independent Verification and Validation (IV&V) Program — is designed to provide NASA with greater knowledge about the Software Assurance (SA) practices, methods and tools needed to produce safe and reliable software.

SARP is designed to address fundamental SA problems in the field of software engineering, primarily as it relates to software safety, quality, IV&V, testability and reliability. It is intended to develop and transfer into practice SA technologies, methods and tools to support and improve the quality of the software produced by and for NASA, and to assist the agency in continuing its leadership in the development of safe, reliable and cost-effective software. Thus, by sponsoring forward-thinking research as well as addressing current needs, SARP helps assure that sufficient and appropriate software risk mitigation is applied to the software that controls and monitors NASA’s systems.

In Fiscal Year 2021, SARP is sponsoring four research projects aimed to benefit Software Assurance processes across the agency:

  1. Augmenting Requirement Analysis Tool with Artificial Intelligence
  2. Dependency Structure Matrix CAP Integration
  3. Advancing the Requirements Review Approach with NLP
  4. Software Defect Proneness: Discovering the Metrics that Matter Most

Visit SARP Website Visit SARP NEN Website