References
24
Incorporating SwA into DoD Acquisition Contracts – Working Paper Nov 15, 2017
Distribution Statement A: Approved for public release. Distribution is unlimited.
[14]
Defense Acquisition Guidebook Chapter 9, “Program Protection,” August 21, 2017.
https://www.dau.mil/tools/dag
[15]
Institute for Defense Analyses (IDA) State-of-the-Art Resources (SOAR) for Software Vulnerability
Detection, Test, and Evaluation 2016.
https://www.acq.osd.mil/se/docs/P-8005-SOAR-2016.pdf
[16]
Common Weakness Enumeration (CWE™) - A Community-Developed Dictionary of Software
Weakness Types - to examine software architectures, designs, and source code for weaknesses.
http://cwe.mitre.org/
Targeted to developers and security practitioners, CWE) is a formal or dictionary of common
software weaknesses created to serve as a common language for describing software security
weaknesses in architecture, design, or code; serve as a standard measuring stick for software security
tools targeting these weaknesses, and to provide a common baseline standard for weakness
identification, mitigation, and prevention efforts.
[17]
ITU-T Telecommunication Standardization Sector of ITU, X.1524 Series X: Data Networks, Open
System Communications and Security, Cybersecurity information exchange –
Event/incident/heuristics exchange, Common weakness enumeration, March 2012.
http://www.itu.int/rec/T-REC-X.1524-201203-I/
[18]
CWE/SANS Top 25 Most Dangerous Software Errors
http://cwe.mitre.org/top25/
The Top 25 is a consensus list of the most significant software errors that can lead to serious
software vulnerabilities. The errors are dangerous because they frequently will allow attackers to
completely take over the software, steal data, or prevent the software from working at all. The Top
25 is the result of collaboration between the SANS Institute, MITRE, and many top software security
experts in the US and Europe and leverages experiences in the development of the SANS Top 20
attack vectors and MITRE’s CWE.
[19]
Common Vulnerabilities and Exposures (CVE
®
) - The Standard for Information Security
Vulnerability Names. http://cve.mitre.org/
International in scope and free for public use, CVE is a dictionary of publicly known information
security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between
security products and provide a baseline index point for evaluating coverage of tools and services.
[20]
ITU-T Telecommunication Standardization Sector of ITU, X.1520 Series X: Data Networks, Open
System Communications and Security, Cybersecurity information exchange –
Event/incident/heuristics exchange, Common vulnerabilities and exposures, January 2014
http://www.itu.int/rec/T-REC-X.1520-201401-I
[21]
Lawrence B. Levy, Suzanne Y. Bell, Software Product Liability: Understanding and Minimizing the
Risks, Berkeley Technology Law Journal (BTLJ) Volume 5, Issue 1, 1990.
http://btlj.org/1990/05/26/volume-5-issue-1-spring-1990/
[22]
Michael D. Scott, Tort Liability for Vendors of Insecure Software: Has the Time Finally Come? 67
Md. L. Rev. 425, 2008
http://digitalcommons.law.umaryland.edu/mlr/vol67/iss2/5
[23]
AFLCMC/EZC – Engineering Model RFP Language, Hanscom Air Force Base, MA,
November 2012.
[24]
Director, Defense Procurement and Acquisition Policy, OUSD(AT&L), Department of Defense COR
Handbook. Director, Defense Procurement and Acquisition Policy, OUSD(AT&L), March 22, 2012.
https://www.acq.osd.mil/dpap/cpic/cp/docs/USA001390-12_DoD_COR_Handbook_Signed.pdf