Software Assurance Tools

Software Assurance deals with making sure that software acts as it was intended and is free from vulnerabilities. Too often these days, our software is distributed while it is still filled with undiscovered flaws that attackers may be able to use to penetrate our systems. It is far more cost effective to spend the time and effort finding the exploitable flaws in software early in the development process, rather than waiting until the attackers expose the flaws and we spend time and effort reacting to incidents.

In order to consistently find and correct software flaws with a high level of confidence, a methodology is needed. Fortunately, there are some good tools available to help with this:

  • CWE (from Mitre) – the Common Weakness Enumeration
    • A unified, measurable set of software weakness types
    • Provides a common baseline for identifying weaknesses and preventing them
    • CWE/SANS Top 25 Most Dangerous Software Errors
  • OWASP The Open Web Application Security Project
  • BSIMM (The Building Security In Maturity Model)

    The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from thirty leading software security initiatives. The BSIMM can help you determine how your organization compares to other real-world software security initiatives and what steps can be taken to make your approach more effective.

  • SAMATE (from DHS/NIST – Software Assurance Metrics And Tool Evaluation)

    Welcome to the NIST SAMATE* project. This is sponsored by the U.S. Department of Homeland Security (DHS) National Cyber Security Division and NIST.

    This project supports the DHS Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods. Introduction to SAMATE has more details.

Comments are closed.