Spacecraft are assets of very high tangible and intangible value which embed, are operated and are controlled through a large number of software systems. These software systems play a critical role in the operation as well as timely service provision and data distribution for these assets. In Europe the ever increasing number of European Space Agency (ESA) Programmes, in particular those in which the European Union is involved with stringent security requirements, e.g. Galileo, Copernicus, Space Situational Awareness, impose higher consideration for secure software engineering than ever before. Therefore ensuring application security is becoming a mandatory requirement for ESA. Such an approach is essential for the benefit of current and future programmes and therefore should be embedded as an integral part of the software development lifecycle. In 2013, ESA started and Agency-internal activity on Secure Software Engineering (SSE) with the participation of several ESA directorates and projects. The main objective of this activity has been to standardise secure software engineering processes on top of existing European Cooperation for Space Standardisation (ECSS) software engineering and product assurance standards and to provide practical guidance to the ESA software engineering practitioners supporting effective and efficient implementation of these SSE practices and processes. The standard has been developed first internally for ESA but the plan is to evolve it to ECSS level. The main outputs of this activity are several documents: 1) A Secure Software Engineering Gap Analysis Technical Note that documents gaps found between the ECSS standards and secure software and systems engineering best practices; 2) An Internal Secure Software Engineering Standard that specifies and formalises secure software engineering processes on the basis of the ECSS E-40 and Q-80 software engineering standards; 3) An Internal Secure Software Engineering Handbook of guidelines for implementation of the standard; 4) A Glossary of Secure Software Engineering Terms; and 5) A Baseline Catalogue of Security Requirements that contains security requirements to be used during the security requirements specification process as defined in the standard. This paper provides a descriptive overview of the secure software engineering standard and also outline the supporting guidance available as part of the handbook and catalogue of security requirements.
展开▼
