With the increasing demand of software capabilities in both business and government operations, building trustworthy software is critical for the success of all organizations. However, the growth of the internet has highlighted both malicious and unintentional threats by providing endless points of attacks that threaten the dependency of software running on the network for distributed applications.
Sponsored by the UK Trustworthy Software Initiative, this document provides consensus for software trustworthiness, either as a stand-alone document or as a companion to other relevant standards.
The specification identifies five aspects of software trustworthiness: Safety, reliability, availability, resilience and security. This set of principles and techniques for any software implementation needs to be suited to the context and intended use.
It describes a widely applicable approach to achieving software trustworthiness, which is based on the following concepts:
- Governance. Before producing or using any software which has a trustworthiness requirement, an appropriate set of governance and management measures shall be set up
- Risk assessment. The risk assessment process involves considering the set of assets to be protected, the nature of the adversities that may be faced, and the way in which the software may be susceptible to such adversities
- Control application. Risk shall be managed through the treatment of risk by the application of appropriate personnel, physical, procedural and technical controls
- Compliance. A compliance regime shall be set up to ensure that creators and users of software ensure that governance, risk and control decisions have been implemented.
In conjunction with methodologies such as TicklTplus, a UK scheme that embraces quality management across IT in the form of a capability maturity method and other similar frameworks, PAS 754 provides a foundation for software trustworthiness within organizations.
2 Normative references
3 Terms, definitions and acronyms
Annex A (informative) PAS 754 in the system life cycle
Annex B (informative) Techniques for delivery of PAS 754 requirements
List of figures
Figure 1 – Facets of trustworthiness
Figure 2 – Aspects of trustworthiness
Figure 3 – Trustworthy software framework
Figure 4 – PDCA cycle
Figure 5 – Use during life cycle
Figure 6 – Trustworthiness level matrix
Figure 7 – Deployment model
Figure A.1 – PAS 754 in the system life cycle
List of tables
Table B.1 – Techniques for delivery of PAS 754 requirements