TSI – Introduction

TSILogoThe Trustworthy Software Initiative – An Introduction

It is intuitively obvious that virtually every aspect of our lives is now touched by information technology running a diverse range of software. The trend to embedded software in complex control systems through to everyday items is accelerating and all of these applications depend on the smooth and reliable operation of software….unfortunately despite this growth in software use there has not been a significant improvement in software quality.

The 2014 Trustwave Global Security Report highlighted application vulnerability by identifying that 96% of the applications Trustwave scanned harboured one or more security vulnerabilities and 100% of the mobile applications tested contained at least one vulnerability….and 71% of compromised victims did not detect the breach themselves.

The root cause of many cybersecurity problems is untrustworthy software, caused by vulnerabilities related to safety, reliability, availability, resilience and security. The Trustworthy Software Initiative (TSI) raises awareness of the dangers of untrustworthy software and provides the tools, techniques and information on software engineering good practice in order to deliver software that addresses these issues.

The UK Governments National Cyber Security Programme (NCSP) is sponsoring the TSI to provide tools, techniques and guidance in training both the future and current workforce in the production, supply and procurement of Trustworthy Software with the objective of ‘Making Software Better’. Guidance for this initiative is provided by the Department for Business Innovation and Skills (BIS), the Centre for the Protection of the National Infrastructure (CPNI) and private sector organisations via a Stakeholder Advisory Group (SAG). The TSI has captured and collated a body of existing guidance, relevant standards and best practices as its Trustworthy Software Framework (TSF) and is working with professional bodies, particularly the Institution of Engineering and Technology (IET), the British Computer Society (BCS) and the Institution of Analysts and Programmers (IAP) to provide education and training collateral to enable trustworthy systems to flourish. This ‘experience’ has been used to produce an initial undergraduate training module being led by the Cyber Security Centre, Warwick Manufacturing Group (WMG) at the University of Warwick under the direction of Professor Tim Watson.

The TSI is a UK Public Good initiative aimed at ‘making software better’ and its mission is to ‘…enhance the overall software and systems culture, with the objective that software should be designed, implemented and maintained in a trustworthy manner…’. The initiative has three major strands of work: development of the Trustworthy Software Framework (TSF) as a consolidated body of knowledge reflecting good practice in software engineering processes; creating educational material for use initially at undergraduate level, but ultimately across the full educational spectrum; promoting awareness of software engineering good practice and aligning it with formal standards and supplier verification.

Much of the initiative’s activity to date has focused on the development of the TSF which provides a domain and implementation agnostic way to reference the large existing body of knowledge by providing a consensus collation of good practices and standards for software trustworthiness. The TSF has been built as a layered repository with increasing levels of detail. At the top level it introduces concepts, the next level addresses principles, the third level encompasses techniques and the fourth level is a repository for methods, citations and data sharing. This framework is embodied in the British Standards Institute (BSI) Publically Available Specification (PAS) 754:2014 Software Trustworthiness Governance and Management Specification. This framework/specification should help organisations who are procuring, supplying or using software to identify relevant good practices and standards.

The Training, Education and Awareness (TEA) team developing the educational material have so far developed and tested a one hour introductory lecture which has been delivered to students on Computer Science and related courses. The aim of this lecture is to explain the need for, and relevance of, trustworthy software and is targeted at the top level of the TSF. Further work is now underway to produce educational material covering the second and third levels of the TSF.

The awareness work undertaken by the TSI programme has encompasses a broad range of stakeholders, including software suppliers, procurement teams and those specifying new software. For example, UK central government departments are developing a standard contract for the purchase of services, including the development, operation and maintenance of software. Officials developing this contract have been briefed on the TSI’s work and are planning to incorporate relevant provisions in the contract. The TSI has also been working with relevant professional bodies with a view to encouraging individuals who are applying for professional registration to understand or apply software trustworthiness to their work. Whilst these individuals may not be writing software they may be using software-based tools for analysis, modelling or design and they should, therefore, be seeking assurance as to the trustworthiness of the tools they are using. As part of this work the team is also looking for appropriate means of encouraging suppliers to seek verification of the quality of their software engineering practices, for example, as part of the TickITPlus scheme.

Given our dependence on software in virtually all aspects of our lives, its trustworthy operation is increasingly important to protect our safety, security and wellbeing. The UK Government has recognised this and launched the TSI as part of the National Cyber Security Programme. The Minister for the Cabinet Office stated in December 2012 ‘…we support and fund the Trustworthy Software Initiative, which aims to improve cyber security by making software more secure, dependable and reliable and to educate on why trustworthy software is important…’. In June 2014, at the launch of BSI PAS754, the Minister of State for Universities and Science stated ‘…the Trustworthy Software Initiative will help UK companies select the most secure dependable and reliable software for their needs as well as providing them with the skills to use it effectively…’.

Untrustworthy software can have serious impacts on our lives such as: leaking personal information and putting us at risk of identity theft; it can lead to errors in calculations causing economic or financial damage; it can also result in systems failures putting lives and the environment at risk. The TSI has developed the Trustworthy Software Framework, a collation of software engineering best practice, which forms the basis of BSI PAS754. By adopting and applying this Framework/Standard we can significantly improve the trustworthiness of the software that affects our daily lives and make the UK a better place to live and do business with.

Stephen Newman, BA(Hons), DMS, MSc, CEng, FIET

TSI Vice President (VP) Software

Trustworthy Software Initiative (TSI)