Software security assurance (SSA) is a process for building security into software design with the goal of addressing security needs from the ground up. It is highly transparent in nature, assuring software purchasers of a developer's commitment to security, and involves considering security at every step of the software design, build, and implementation process. In addition, it addresses ongoing and evolving security issues as the software is used in the wild.
When developers begin discussing a new piece of software or a significant upgrade, they evaluate the security needs. They consider the kinds of tasks the software is designed for, along with the type of data it will handle. These functions are carefully picked apart to see what kind of security vulnerabilities may be present. For example, a company designing software for management of photos that interfaces with the Internet would need to consider the obvious vulnerabilities to the software and the computer system involved in making an Internet connection.
As developers begin to code the software, they can build security features into it. Addressing security organically throughout the development process is considered by some to be a more stable and reliable method for managing security needs, in contrast with patching in security at the end. As the software is tested, the developer pushes the boundaries of the security to identify weak points with the goal of fixing these before the software is released. In the ongoing process of creating software patches and updates, the company also evaluates changing security needs to keep customers safe and confident.
Software security assurance can require specialty services from software designers who have training in security issues and can work with the rest of the team to design and implement security measures. In software security assurance, the goal is to strike a balance, providing enough security to make the software safe without creating nuisances like overly aggressive security. Overkill measures can result in user frustration, leading people to turn off, disable, or ignore the security aspects of the software.
Every developer has a different approach to software security assurance. Companies usually provide information to their customers about some of the steps in the process to make people feel comfortable without revealing important security secrets to hackers and others who might exploit them. Often, a statement on software security assurance can be found on a developer's website and in promotional literature about a company and the products it offers.