In an October 2010 article, Mark Weatherford, vice president and chief security officer at NERC, was quoted as saying, “Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects.” The increased vulnerability of automation products due to software complexity coupled with the emerging threat posed by viruses like Stuxnet makes it is easy to see why end-users are calling for suppliers to focus on software assurance, particularly in products used in safety-critical and security-critical applications. Fortunately, many automation system suppliers have already modified their processes to incorporate security into their software development life cycle (SDLC). However, the level of integration and rigor with which it is applied can vary dramatically, leaving operators of industrial facilities wondering about the inherent security of their products.