In the corporate world, bits mean money, and as the Department of Defense (DoD) becomes more and more reliant on net-centric warfare, bits mean national security. Software security threats are very real, as demonstrated by the constant barrage of Internet viruses, worms, Trojans, and hackers seeking to exploit the latest vulnerability. Most organizations focus their resources on reactive defenses such as firewalls, antivirus software, and encryption, however as demonstrated by the numerous attacks that are successful, those post facto measures are not enough to stop the bleeding. The DoD defines software assurance (SwA) as the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software. SwA focuses on baking in security versus bolting it on afterwards. The Department of Homeland Security and DoD each have had SwA programs for a few years; however the Air Force (AF) just recently formed the Application Software Assurance Center of Excellence at Maxwell AFB-Gunter Annex, AL. This research seeks to identify common issues that present challenges to the development of secure software and best practices that the AF could adopt as it proactively begins to heal the SwA problem
