Software Assurance Metrics and Tool Evaluation
نویسنده
چکیده
The U.S. National Institute of Standards and Technology (NIST) is starting two ambitious projects to (1) develop a taxonomy of software security flaws and vulnerabilities, (2) develop a taxonomy of software assurance (SA) functions and techniques which detect those flaws, (3) perform and maintain a survey of SA tools implementing the functions, (4) develop testable specifications of SA functions and explicit tests, include a standard reference dataset, to evaluate how closely tools implement the functions, and (5) lead efforts to develop metrics for the effectiveness of those functions. The end result is that users will be able to choose a combination of techniques which best suits their needs and will be able to state how much confidence they have in software which has been assessed. This paper details these two projects and presents our justifications and expectations.
منابع مشابه
SAMATE and Evaluating Static Analysis Tools
We give some background on the Software Assurance Metrics And Tool Evaluation (SAMATE) project and our decision to work on static source code security analyzers. We give our experience bringing government, vendors, and users together to develop a specification and tests to evaluate such analyzers. We also present preliminary results of our study on whether such tools reduce vulnerabilities in p...
متن کاملEmpirical Evaluation and Review of a Metrics-Based Approach for Use Case Verification
In this article, an empirical evaluation and review of some metrics–based verification heuristics for use cases are presented. This evaluation is based on empirical data collected from requirements documents developed by Software Engineering students at the University of Seville using REM, a free XML–based requirements management tool developed by one of the authors. The analysis of the empiric...
متن کاملImpact of Code Complexity On Software Analysis
The Software Assurance Metrics and Tool Evaluation (SAMATE) team studied thousands of warnings from static analyzers. Tools have difficulty distinguishing between the absence of a weakness and the presence of a weakness that is buried in otherwise-irrelevant code elements. This paper presents classes of these code elements, which we call “code complexities.” They have been present in software a...
متن کاملComponent-Based Software Engineering: Technologies, Quality Assurance Schemes, and Risk Analysis Tools
Component-based software development approach is based on the idea to develop software systems by selecting appropriate off-the-shelf components and then to assemble them with a well-defined software architecture. Because the new software development paradigm is much different from the traditional approach, quality assurance (QA) for component-based software development is a new topic in the so...
متن کاملSoftware Quality in the Objectory Process
In this paper we discuss how software quality assurance is realized in Rational Objectory. Although much support is given through guidelines and checkpoints, the tool fails to provide clear goals and metrics for quality assessments and it only partially supports the phases in a measurement program.
متن کامل