SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29,
|
|
- Rolf Perry
- 6 years ago
- Views:
Transcription
1 SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview Tim Boland NIST May 29,
2 NationaI Institute of Standards and Technology (NIST) NIST, an agency of the U.S. Department of Commerce, researches measurement science, standards, and technology 2
3 Presentation Order: Introduction to SAMATE/Software Assurance SAMATE Sub-Projects/Activities Present and Past Next Steps (Towards a Science of Weakness Measurement) Disclaimer any products/companies mentioned are for information only no endorsement implied 3
4 Background -Need for Software Assurance Society depends more and more on software Ad-hoc fixes are not enough Software must be engineered to have desired properties, and assurance is needed that software has those properties 4
5 Software Assurance Software assurance involves confidence that software is free from vulnerabilities and conforms to standards/policies/procedures Software assurance comes from three sources: process, analysis, and execution 5
6 Does This Violate Software Assurance? 6
7 SAMATE Goals improving software assurance by developing materials, specifications, and methods to test tools/techniques and measure their effectiveness supporting trustworthiness no vulnerabilities exist, either of malicious or unintentional origin supporting predictable execution -justifiable confidence that software, when executed, functions as intended 7
8 A SAMATE Approach Develop a specification Come up with test plan Set minimum bar for software 8
9 Relevant Definitions Failures: caused by defects (faults, bugs) in executing code, or by environmental conditions Vulnerability:result of one/more weaknesses in requirements, design, implementation, or operation whether a weakness is a vulnerability may depend on how software is used 9
10 Some Current SAMATE Sub- Projects/Activities Static Analysis Tool Exposition (SATE) SAMATE Reference Dataset (SRD) Precisely define some Common Weakness Enumeration (CWE) entries accurately (CWE Formalization) CWE compatibility/effectiveness studies 10
11 What is a Static Analysis Tool? 11
12 Definitions Relevant to Static Analysis Tools Warning:issue (usually, a weakness) identified by a tool (Tool) report: the output from a single run of a tool on a test case a tool report consists of warnings 12
13 Static Analysis Tool Exposition (SATE) Enable empirical research based on large test sets Encourage improvement of tools Speed adoption of tools by objectively demonstrating their use on real software NOT to choose the best tool Focus is on security issues (exploring the following characteristics of tools: relevance of warnings to security, their correctness, and prioritization ) Four SATEs: 2008, 2009, 2010, and 2011/12 13
14 SATE Steps Hold organizing workshop Test sets with security implications chosen by NIST and provided to participants Participants run tools on these test sets and return reports NIST analyzes returned tool reports (also experts analyze one program) Experience/Observations Shared at Workshop Final report/data released afterwards 14
15 Current SATE Activities Languages are C/C++, Java, and PHP Common Vulnerability Enumeration (CVE) -based programs chosen for analysis - Warning Subset Analysis Introduction of Synthetic Test Cases Reporting Format SATE 2008, 2009, 2010 reports available SATE IV is being completed 15
16 Future SATE Activities Planning for Next SATE (what to change, what to include) Mining large SATE data set to extract more useful information Soliciting more tool vendors to participate 16
17 SATE IV Information Page 17
18 SAMATE Reference Dataset (SRD) Public repository for software test cases in C, C++, Java, Python, C# User can locate test cases by language, weakness, code construct, etc. Contributions from Fortify, Defence R&D Canada, Klocwork, MIT Lincoln Laboratory, Praxis, Secure Software, and others Weaknesses/complexities known in advance 18
19 More SRD Information SRD includes test suites (the most recent being the Juliet test suite) SRD may be used by static analysis and binary analysis tools, among other uses 19
20 Juliet Test Suite 59,943 small C/C++ and Java programs C/C++ programs cover 116 different CWEs, and Java programs cover 106 different CWEs In dozens of subtle variations With dozens of code complexities Synthetic test cases 20
21 SRD User Interface Example (Test Suite Link Highlighted) 21
22 Some SRD Functions Browse the complete test case repository or download test cases Find (search for) specific test cases Download test suites Information for submitting test cases Find other assurance tool test collections/datasets 22
23 SRD Search Page Example 23
24 SRD Test Case 1552 (tainted input allows arbitrary files to be read or written re: CWE-417) 24
25 Future SRD Activities Encourage inclusion of more test cases/test suites Characterize/sort test cases re: investigation of certain CWEs and capabilities of tools Investigate further uses of the test cases Promote use of existing test cases 25
26 CWE Formalization Weaknesses must be defined precisely/accurately (from description summary, white-box definition) Goal of accurate/precise CWEs: demonstrate a high-bar for definitions, find out how much can be formalized (e.g., correctly perfom, intended command ), and investigate approaches for validating the definitions Link to information: 26
27 CWEs May Be Hierarchical 27
28 Classes May Interact 28
29 MITRE s CWE Compatibility and Effectiveness Program Phase 1 declare compatibility Phase 2 verify mapping to CWEs (possible support for coverage claim representation) Phase 3 test cases show effectiveness (tool/service effectively locates CWEs, deals with code complexities) NIST will help develop test cases URL: 29
30 Other SAMATE-Related Activities Voting systems Web accessibility Miscellaneous software measurement/metrics/classification research (e.g., complexities, models..) Software testing research (workshop) 30
31 NIST Workshop on Metrics and Standards for Software Testing (MaSST) In conjunction with Software Security And Reliability (SERE) June 2012 at NIST in Gaithersburg, MD URL: 31
32 Past SAMATE Sub-Projects/Activities Web application scanners Software labels Software assurance studies Assurance case research 32
33 Next Steps (Toward a Science of Weakness Measurement) Linguistics/vocabulary issues Designating weaknesses Distinguishing weaknesses Locating weaknesses Potentially useful concepts for measurement 33
34 Linguistics/Vocabulary What is a word? Orthographic word (blank-separated), lexical item, citation form (e.g., go vs. went ) Abbreviations, acronyms, contractions, clipped forms, etc. Possible International Vocabulary of Metrology (VIM) applicability? 34
35 Designating a Weakness Warning may be trivially true (e.g., strncpy() does not null terminate) Warning may be true but insignificant (e.g., possible buffer overflow while reading configuration file) Consider ease, likelihood, or impact of exploit Some warnings are difficult to decide on (e.g., divide by 0) Quality or style weaknesses (e.g., dead code) 35
36 Distinguishing Weaknesses Only 1/8 to 1/3 of weaknesses are simple (from SATE report) Weakness Classes are Related (one weakness?) (e.g., integer overflow -> buffer overflow) Data/Control Flows may be intermingled (one weakness?) Number of Weaknesses in code is ill-defined (e.g., mistakes may be repeated..) 36
37 Example of Tangled Flows (2 sources, 2 sinks, 4 paths) (from Nagios) 37
38 Locating Weaknesses Data/control flow issues (interacting statements) Location of missing feature (code omission) (e.g. failure to invalidate credentials, not logging all transactions..) Which statement should be reported (not obvious source? sink?) 38
39 Possible Useful Concepts for Measurement of Weaknesses Source/sink, source-to-sink graph Location to fix Flow Weakness Instance/Class Vulnerability Attack Fault Error Data or Control Path 39
40 40
41 Other SAMATE Resources from Web sites and resources list Bibliography SAMATE publications list 41
42 How to Participate in SAMATE SAMATE mailing list web site is (please become a member) General samate@nist.gov Contributions/collaboration welcomed Technical Advisory Panel 42
Evaluating Bug Finders
Evaluating Bug Finders Test and Measurement of Static Code Analyzers Aurelien DELAITRE Bertrand STIVALET http://samate.nist.gov ICSE - COUFLESS 2015 May 23, 2015 Authors Aurelien DELAITRE West Virginia
More informationLarge Scale Generation of Complex and Faulty PHP Test Cases
Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand STIVALET Elizabeth FONG ICST 2016 Chicago, IL, USA April 15th, 2016 http://samate.nist.gov Authors Bertrand STIVALET National Institute
More informationOpportunities and Obstacles to Using Static Analysis for the Development of Safety-Critical Software
Copyright 2006 Rockwell Collins, Inc. All right reserved. Opportunities and Obstacles to Using Static Analysis for the Development of Safety-Critical Software Safety-Critical Business Case FAA: use of
More informationCertification Report
Certification Report Standard Edition v2.8.2 RELEASE Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationLarge Scale Generation of Complex and Faulty PHP Test Cases
Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand Stivalet, Elizabeth Fong Software and Systems Divison, National Institute of Standards and Technology Gaithersburg, MD, 20899, USA {bertrand.stivalet,
More informationBest Practices Process & Technology. Sachin Dhiman, Senior Technical Consultant, LDRA
Best Practices Process & Technology Sachin Dhiman, Senior Technical Consultant, LDRA Best Quality Software Product Requirements Design Coding Testing 2 Product Requirement Feature Requirement Security
More informationUsing Static Code Analysis to Find Bugs Before They Become Failures
Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference,
More informationUse of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance
More informationSecurity Issues Formalization
Security Issues Formalization V. T. Dimitrov University of Sofia, Faculty of Mathematics and Informatics, 5 James Bourchier Blvd, 1164, Sofia, Bulgaria E-mail: cht@fmi.uni-sofia.bg Software bugs are primary
More informationSecure Programming Lecture 13: Static Analysis
Secure Programming Lecture 13: Static Analysis David Aspinall 10th March 2014 Outline Overview Vulnerabilities and analysis Using static analysis Simple static analysis tasks Type checking Style checking
More informationVulnerabilities and analysis. Simple static analysis tasks Type checking Style checking
Outline Recap Secure Programming Lecture 13: Static Analysis David Aspinall 10th March 2014 Overview Vulnerabilities and analysis Using static analysis Simple static analysis tasks Type checking Style
More informationSoftware Security and CISQ. Dr. Bill Curtis Executive Director
Software Security and CISQ Dr. Bill Curtis Executive Director Why Measure IT Applications? Six Digit Defects now affect Board of Directors CEO, COO, CFO Business VPs Corporate Auditors CIO accountable
More informationSoftware Assurance Metrics And Tool Evaluation (SAMATE) Overview
American Society for Quality (ASQ) Washington, DC & Maryland Metro Section (509), Software Special Interest Group (SSIG) IEEE Computer Society Washington, DC & Northern Virginia Chapters Society for Software
More informationProgramming Language Vulnerabilities within the ISO/IEC Standardization Community
Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen Michell International Convenor JTC 1/SC 22 WG 23 Programming Language Vulnerabilities stephen.michell@maurya.on.ca
More informationBuilding an Assurance Foundation for 21 st Century Information Systems and Networks
Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership
More informationNational Information Assurance Partnership. Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Xerox Corporation Xerox CopyCentre C2128/C2636/C3545 Copier and WorkCentre Pro C2128/C2636/C3545
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report for Microsoft Windows 10 Anniversary Update IPsec VPN Client TM Report Number: CCEVS-VR-VID10753-2016
More informationSupply Chain Information Exchange: Non-conforming & Authentic Components
Supply Chain Information Exchange: Non-conforming & Authentic Components Joe Jarzombek Director for Software and Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Agenda Purpose
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report for Report Number: CCEVS-VR-10746-2016 Dated: November 10, 2016 Version: 1.0 National Institute
More informationDon t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd
Don t Be the Developer Whose Rocket Crashes on Lift off 2015 LDRA Ltd Cost of Software Defects Consider the European Space Agency s Ariane 5 flight 501 on Tuesday, June 4 1996 Due to an error in the software
More informationCertification Report
Certification Report EAL 3+ Evaluation of Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running JUNOS 11.4R2
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security
More informationClabureDB: Classified Bug-Reports Database
ClabureDB: Classified Bug-Reports Database Tool for developers of program analysis tools Jiri Slaby, Jan Strejček, and Marek Trtík Faculty of Informatics, Masaryk University Botanická 68a, 60200 Brno,
More informationSecure Programming Lecture 13: Code Review and Static Analysis
Secure Programming Lecture 13: Code Review and Static Analysis David Aspinall 4th March 2016 Outline Overview Vulnerabilities and analysis Using static analysis Simple static analysis tasks Type checking
More information정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석
정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석 Develop high quality embedded software 이영준 Principal Application Engineer 2015 The MathWorks, Inc. 1 Agendas Unit-proving of AUTOSAR Component and Runtime error Secure Coding
More informationTrustworthy Information Systems Program
Trustworthy Information Systems Program Joint Meeting of ASQ Software SIG, SSQ, SSIG/IEEE Computer Society 24 June 2008 Tom Rhodes, PM, TIS Program National Institute of Standards and Technology Information
More informationUnforgivable Vulnerabilities Steve Christey The MITRE Corporation August 2, 2007
Unforgivable Vulnerabilities Steve Christey The MITRE Corporation August 2, 2007 Introduction Vulnerabilities are a fact of life Many vulnerabilities simply shouldn t be in software anymore Everything
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationCertification Report
Certification Report EAL 4+ Evaluation of WatchGuard and Fireware XTM Operating System v11.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Blue Ridge Networks BorderGuard Centrally Managed Embedded PKI Virtual Private Network (VPN)
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationDetermining the Fundamental Basis of Software Vulnerabilities. Larry Wagoner NSA
Determining the Fundamental Basis of Software Vulnerabilities Larry Wagoner NSA Agenda Background Analogous background Matt Bishop work CWEs Tool reporting of CWEs KDM Analytics Determining the fundamental
More informationRanking Vulnerability for Web Application based on Severity Ratings Analysis
Ranking Vulnerability for Web Application based on Severity Ratings Analysis Nitish Kumar #1, Kumar Rajnish #2 Anil Kumar #3 1,2,3 Department of Computer Science & Engineering, Birla Institute of Technology,
More informationCertification Report
Certification Report EAL 4+ Evaluation of Firewall Enterprise v8.2.0 and Firewall Enterprise Control Center v5.2.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common
More informationSafeRiver SME. Added Value Solutions for Embedded Systems. Tools for FuSa and Software Security. Packaged Services. CIR agreed
SafeRiver SME Independent- founded december 2005 18 consultants highly skilled in Software and Formal methods Turnover 2015: 1,5M (excluding R&D public fundings) Added Value Solutions for Embedded Systems
More informationSynology Security Whitepaper
Synology Security Whitepaper 1 Table of Contents Introduction 3 Security Policy 4 DiskStation Manager Life Cycle Severity Ratings Standards Security Program 10 Product Security Incident Response Team Bounty
More informationTaking White Hats to the Laundry: How to Strengthen Testing in Common Criteria
Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Report Number: CCEVS-VR-06-0023 Dated: 28 April 2006 Version: 1.0 National Institute of
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report IEEE IEEE 2600.1-2009 Report Number: CCEVS-VR-10340 Dated: 2009-06-09 Version: 2.0 National
More informationStatic analysis of PHP applications
Static analysis of PHP applications Ondřej Šerý DISTRIBUTED SYSTEMS RESEARCH GROUP http://dsrg.mff.cuni.cz CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and Physics References G. Wassermann, Z. Su:
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report TM QRadar V5.1.2 Report Number: Dated: January 26, 2007 Version: 1.1 National Institute of
More informationDetecting and exploiting integer overflows
Detecting and exploiting integer overflows Guillaume TOURON Laboratoire Verimag, Ensimag - Grenoble INP Marie-Laure Potet, Laurent Mounier 20/05/11 1 / 18 Context Binary representation Integers misinterpretation
More informationCertification Report
Certification Report EAL 2+ Evaluation of Verdasys Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCertification Report
Certification Report EAL 2+ Evaluation of Netsight/Network Access Control v3.2.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationCertification Report
Certification Report EAL 4+ Evaluation of High Security Labs Secure DVI KVM Switch, Secure KM Switch and Secure KVM Combiner Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationCertification Report
Certification Report Symantec Security Information Manager 4.8.1 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Enterprise Mobility Management 9.7 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationEngineering Improvement in Software Assurance: A Landscape Framework
Engineering Improvement in Software Assurance: A Landscape Framework Lisa Brownsword (presenter) Carol C. Woody, PhD Christopher J. Alberts Andrew P. Moore Agenda Terminology and Problem Scope Modeling
More informationABSTRACT SOURCE CODE REDUCTION TO SUMMARIZE FALSE POSITIVES. Matías Marenchino, Master of Science, 2015
ABSTRACT Title of dissertation: SOURCE CODE REDUCTION TO SUMMARIZE FALSE POSITIVES Matías Marenchino, Master of Science, 2015 Dissertation directed by: Professor Adam Porter Department of Computer Science
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Deep Defender 1.0.1 and epolicy Orchestrator 4.6.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme NetScreen Technologies, Incorporated Report Number: CCEVS-VR-02-0027 Version 1.0 Dated: 30 November 2002 National
More informationOWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis
Static Analysis (SA) Track Session 1: Intro to Static Analysis Eric Dalci Cigital edalci at cigital dot com 5/07/09 Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationStatic Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU
Static Analysis methods and tools An industrial study Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU Outline Why static analysis What is it Underlying technology Some tools (Coverity, KlocWork,
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationVulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.
Vulnerabilities To know your Enemy, you must become your Enemy. "The Art of War", Sun Tzu André Zúquete Security 1 Information security: Vulnerabilities & attacks threats Discouragement measures difficult
More informationAUTOMATED PROCESSES IN COMPUTER SECURITY
AUTOMATED PROCESSES IN COMPUTER SECURITY Maroš Barabas Doctoral Degree Programme (3), FIT BUT E-mail: ibarabas@fit.vutbr.cz Supervised by: Petr Hanáček E-mail: hanacek@fit.vutbr.cz ABSTRACT This article
More informationImportant Points to Note
Important Points to Note All Participating colleges are requested to mute your telephone lines during the webinar session. Participants are requested to make note of questions / responses to questions,
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Microsoft Corporation Windows 2000 Report Number: CCEVS-VR-02-0025 Dated: 25 October 2002
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationONAP Security Sub-committee Update. Stephen Terrill, Donald Levey, Pierre Cose,
ONAP Security Sub-committee Update Stephen Terrill, Donald Levey, Pierre Cose, 2017-12-15 Introduction This presentation is from the ONAP security sub-committee. It covers the security aspects that have
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationCertification Report
Certification Report EMC NetWorker v8.0.1.4 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada,
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT WorkCentre 7525/7530/7535/7545/7556 with FIPS 140-2 Compliance over SNMPv3 25 July 2016 v1.0 383-4-371 Government of Canada. This document is the property of the Government
More informationIntroduction. Background. Document: WG 14/N1619. Text for comment WFW-1 of N1618
Document: WG 14/N1619 Text for comment WFW-1 of N1618 Introduction Background An essential element of secure coding in the C programming language is a set of well-documented and enforceable coding rules.
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Innovation Data Processing FDRERASE Version 5.4, Level 50 Report Number: CCEVS-VR-05-0109
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationUsing a Vulnerability Description Ontology for vulnerability coordination
Using a Vulnerability Description Ontology for vulnerability coordination - Removing the pain of repetitive analysis of vulnerability reports - Masanobu Katagi, Takayuki Uchiyama (JPCERT/CC, JP), and Masaki
More informationTSP and Security. PSP/TSP Community of Practice Breakout Group. December 14-15, 2016
TSP and Security PSP/TSP Community of Practice Breakout Group December 14-15, 2016 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2016 Carnegie Mellon University Topics
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Xceedium Gatekeeper Version 3.6 Report Number: CCEVS-VR-06-0048 Dated: 31 October 2006 Version:
More informationStatic Analysis Techniques
oftware Design (F28SD2): Static Analysis Techniques 1 Software Design (F28SD2) Static Analysis Techniques Andrew Ireland School of Mathematical and Computer Science Heriot-Watt University Edinburgh oftware
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report For VMware ESX Server 2.5.0 and VirtualCenter 1.2.0 Report Number: CCEVS-VR-06-0013 Dated:
More informationCertification Report
Certification Report EAL 2+ Evaluation of Data ONTAP Version 7.2.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme
More informationRelating Software Coupling Attribute and Security Vulnerability Attribute
Relating Software Coupling Attribute and Security Vulnerability Attribute Varadachari S. Ayanam, Frank Tsui, Sheryl Duggins, Andy Wang Southern Polytechnic State University Marietta, Georgia 30060 Abstract:
More informationSystem Administration and Network Security
System Administration and Network Security Master SSCI, M2P subject Duration: up to 3 hours. All answers should be justified. Clear and concise answers will be rewarded. 1 Network Administration To keep
More informationn Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test
Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report Report Number: CCEVS-VR-10446-2011 Dated: July 1, 2011 Version: 1.0 National Institute of
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationAutomating Best Practices to Improve Design Quality
Automating Best Practices to Improve Design Quality 임베디드 SW 개발에서의품질확보방안 이제훈차장 2015 The MathWorks, Inc. 1 Key Takeaways Author, manage requirements in Simulink Early verification to find defects sooner
More informationUsing Machine Learning to Identify Security Issues in Open-Source Libraries. Asankhaya Sharma Yaqin Zhou SourceClear
Using Machine Learning to Identify Security Issues in Open-Source Libraries Asankhaya Sharma Yaqin Zhou SourceClear Outline - Overview of problem space Unidentified security issues How Machine Learning
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationModeling and Discovering Vulnerabilities with Code Property Graphs
Modeling and Discovering Vulnerabilities with Code Property Graphs Fabian Yamaguchi, Nico Golde (Qualcomm), Daniel Arp, and Konrad Rieck Security & Privacy 2014 GEORG-AUGUST-UNIVERSITÄT GÖTTINGEN Implementation
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationAttack Vectors in Computer Security
Attack Vectors in Computer Security Who Am I @WillGoard My first proper hacksoc talk I speak fluent greek Sell more pizzas have more fun Why attack vectors? Didn t know what to do for my dissertation Started
More informationCertification Report
EAL 3 Evaluation of Thales Communications S. A. Internal Communications Management System (ICMS) Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation
More informationObjectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process
Objectives Chapter 19 Verification and Validation Assuring that a software system meets a user s need are to introduce software verification and validation (V&V) and to discuss the distinction between
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. Tripp Lite Secure KVM Switch Series
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report Report Number: CCEVS-VR-VID10481-2011 Dated: October 31, 2011 Version: 2.0 National Institute
More informationCertification Report
Certification Report EAL 2+ Evaluation of Service Router Operating System (SR OS) v7.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and
More informationInstrumentation, Controls, and Automation - Program 68
Instrumentation, Controls, and Automation - Program 68 Program Description Program Overview Power generators need to improve their ability to detect damage to plant equipment while preserving the focus
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report for the Venafi Trust Protection Platform, Version 1.0 Report Number: CCEVS-VR-VID10800-2017
More informationCertification Report
Certification Report McAfee File and Removable Media Protection 4.3.1 and epolicy Orchestrator 5.1.2 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation
More informationCertification Report
Certification Report Owl DualDiode Communication Cards v7 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT McAfee VirusScan Enterprise 8.8 and epolicy Orchestrator 5.1.3 v1.0 9 May 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority
More informationCertification Report
Certification Report EAL 2 Evaluation of s EMC Smarts Service Assurance Management (SAM) Suite and Internet Protocol (IP) Management Suite 6.5.1 Issued by: Communications Security Establishment Certification
More informationISO. International Organization for Standardization. ISO/IEC JTC 1/SC 32 Data Management and Interchange WG4 SQL/MM. Secretariat: USA (ANSI)
ISO/IEC JTC 1/SC 32 N 0736 ISO/IEC JTC 1/SC 32/WG 4 SQL/MM:VIE-006 January, 2002 ISO International Organization for Standardization ISO/IEC JTC 1/SC 32 Data Management and Interchange WG4 SQL/MM Secretariat:
More informationA Knowledge-based Alert Evaluation and Security Decision Support Framework 1
A Knowledge-based Alert Evaluation and Security Decision Support Framework 1 Jinqiao Yu Department of Mathematics and Computer Science Illinois Wesleyan Univerisity P.O.Box 2900 Bloomington, IL 61701 Ramana
More informationCertification Report
Certification Report EAL 3+ Evaluation of Xerox WorkCentre 5632/5638/5645/5655/5665/5675/5687 Multifunction Systems Issued by: Communications Security Establishment Canada Certification Body Canadian Common
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT WorkCentre 7845/7845i/7855/7855i 2016 Xerox ConnectKey Technology 12 August 2016 v1.0 383-4-382 Government of Canada. This document is the property of the Government
More information