Bibliography
From SAMATE
DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
We also keep a list of all SAMATE Publications and presentations.
Contents |
Metrics
- CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2012.
- CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2011.
- P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing, An approach to Measuring a System's Attack Surface, Carnegie Mellon University, Technical Report CMU-CS-07-146, August 2007.
- O. H. Alhazmi, Y. K. Malaiya and I. Ray, Security Vulnerabilities in Software Systems A Quantitative Perspective, Colorado State University, IFIP WG 11.3 Working Conference on Data and Applications Security, 2005, August 2005
- Joe Schofield, The Statistically Unreliable Nature of Lines of Code, CrossTalk, 18(4):29-33, April 2005.
- Brian Chess and Katrina Tsipenyuk, A Metric for Evaluating Static Analysis Tools, MetriCon 1.0, Vancouver, August 2006.
- Available at https://www.securitymetrics.org/content/attach/Welcome_blogentry_010806_1/software_chess.ppt
Product Evaluation and Surveys
in reverse chronological order
- Booz Allen Hamilton, Software Security Assessment Tools Review, March 2009.
- Martin Johns, Scanstud - Evaluating static analysis tools, May 2008
- R Krishnan, Margaret Nadworny, and Nishil Bharill, Static Analysis for Improving Secure Software Development at Motorola, November 2007
- Redge Bartholomew, Evaluation of Static Source Code Analyzers for Real-Time Embedded Software Development, November 2007
- Available in Proc. Static Analysis Workshop II SASII, Ada Letters, April 2008.
- Larry Suto, Analyzing the Effectiveness and Coverage of Web Application Security Scanners, October 2007
- Justin Schuh, Code Scanners: False Sense of Security?, 16 April 2007
- Available at http://www.fortifysoftware.com/servlet/downloads/public/Network_Computing-False_Sense_of_Security.pdf
- Peter A. Buxbaum, All for one, but not one for all, 26(6), March 19, 2007
- Available at http://www.gcn.com/print/26_06/43320-1.html
- iDefense Labs, Top 10 Spyware Applications, January 5, 2006
- Jeff Forristal, Review: Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise Magazine, Dec. 2005.
- Brian E. Burke, sponsored by Webroot, Securing Enterprise Environments Against Spyware : Benefits of Best-of-Breed Security, November 2005
- Kendra Kratkiewicz, Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code, Master's thesis, Harvard University, Cambridge, MA, 2005, 285 pages.
- Freeland Abbott and Joseph Saur, A Comparison of Code Checker Technologies for Software Vulnerability Evaluation, Code Checkers Project Evaluation Report, Joint Systems Integration Command, 25 April 2005
- Misha Zitser, Richard Lippmann, and Tim Leek, Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code, Proc. FSE-12, ACM SIGSOFT, 2004.
- Their test cases can be found on their website, http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/Cybersystemscorpora.html under Model Programs ... file models-2007-11-06.tgz.
- Defense Information Systems Agency, Application Security Assessment Tool Market Survey, Version 3.0, July 29, 2004.
- Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java - The 15th IEEE International Symposium on Software Reliability Engineering (ISSRE'04). Saint-Malo, Bretagne, France. November 2004.
- Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf (12 pages).
- John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, proc 10th Network and Distributed System Security Symposium (NDSS'03), February 5-7, 2003, San Diego, California. Pages 149-162.
- Ciera Nicole Christopher, Evaluating Static Analysis Frameworks, Carnegie Mellon University, "Analysis of Software Artifacts 17-754", May 10, 2006.
- Available at http://www.cs.cmu.edu/~aldrich/courses/654/tools/christopher-analysis-frameworks-06.pdf (17 pages).
- John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Static Intrusion Prevention, proc 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), November 7-8, 2002, Karlstad, Sweden. Pages 68-84.
Technical Algorithm Papers
alphabetical by author's last name
- Sagar Chaki and Scott Hissam, Certifying the Absence of Buffer Overflows, Technical Note CMU/SEI-2006-TN-030, September 2006.
Available at http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm - Christoph Csaliner and Yannis Smaragdakis, Check 'n' Crash: Combining Static Checking and Testing, in Proceedings of 27th international conference on software engineering, May 15-21, 2005.
- David Hovemeyer and William Pugh. Finding Bugs is Easy, in SIGPLAN Notices (Proceedings of Onward! at OOPSLA 2004), December, 2004
Available at http://faculty.ycp.edu/~dhovemey/pubs/oopsla2004.pdf (15 pages). - Holger Peine, Rules of Thumb for Secure Software Engineering, in Proceedings of 27th International Conference on Software Engineering (ICSM), May 15-21, 2005.
Available at http://delivery.acm.org/10.1145/1070000/1062626/p702-peine.pdf?key1=1062626&key2=8813994211&coll=GUIDE&dl=GUIDE&CFID=53187550&CFTOKEN=57100534 - Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahaz, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, 46(2):265-288, April-June 2007.
- Donald J. Reifer, Protecting Yourself Against Malicious Code in COTS, Systems & Software Technology Conference, 18 - 21 April 2005, Salt Lake City, UT
- Alexander Ivanov Sotirov, Automatic vulnerability detection static source code analysis, A Master's degree Thesis, 2005
- David Wagner, Jeffrey Foster, Eric Brewer, Alexander Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, in Proceedings of the Network and Distributed Security Symposium, Feb. 2000.
Available at http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.pdf
Specific Vulnerabilities
- Robert H. B. Netzer and Barton P. Miller, What Are Race Conditions? Some Issues and Formalization, University of Wisconsin - Madison.
Available at http://www.cs.umd.edu/projects/syschat/raceConditions.pdf - Benjamin A. Kuperman, Carla E. Brodley, Hilmi Ozdoganoglu, T. N. Vijaykumar, and Ankit Jalote, Detection and prevention of stack buffer overflow attacks, CACM, 48(11), pages 50-56, November 2005. Available at http://doi.acm.org/10.1145/1096000.1096004
Other Papers
- Unforgivable Vulnerabilities, Steve Christey, 2007.
- Cyber Security: A Crisis of Prioritization, PITAC, 2005.
- Available from http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf or http://www.nitrd.gov/pubs/
- OWASP Development Guide, OWASP, accessed 29 August 2012.
- Available from https://www.owasp.org/index.php/Category:OWASP_Guide_Project
- Software 2015: A National Software Strategy to Ensure U.S. Security and Competitiveness, Center for National Software Studies (CNSS), May 2005.
- Available at http://www.cnsoftware.org/nss2report/
- CNSS is at http://www.cnsoftware.org/
- David A. Wheeler, Secure Programming for Linux and UNIX HOWTO, Version 3.010, March 3, 2003.
- Christian Collberg, Clark Thomborson, and Douglas Low, A Taxonomy of Obfuscating Transformations, Technical Report #148, Department of Computer Sciences, The University of Auckland, July 1997.
- Nancy G. Leveson, High-Pressure Steam Engines and Computer Software, keynote talk , International Conference on Software Engineering, Melbourne, Australia, May 1992. A shortened version appeared in IEEE Computer, October 1994.
Books
- Secure Programming with Static Analysis, Brian Chess & Jacob West, Addison-Wesley - ISBN 0-321-42477-8
- Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith, Addison-Wesley - ISBN 0-32-134998-9
- IEEE 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology
- Building Secure Software, John Viega & Gary McGraw, Addison-Wesley - ISBN 0-201-72152-X
- Exploiting Software, How to Break Code, Greg Hoglund & Gary McGraw, Addison-Wesley - ISBN 0-201-78695-8
- Secure Programming Cookbook for C and C++, John Viega & Matt Messier, O'Reilly - ISBN 0-59-600394-3
- Buffer Overflow Attacks, Detect, Exploit, Prevent, James C. Foster, Vitaly Osipov, Nish Bhalla, Niels Heinen, SYNGRESS - ISBN 1-93-226667-4
- Secure Coding in C and C++, Robert C. Seacord, Addison-Wesley, 2005 - ISBN-13: 978-0321335722
- Secure Coding - Principles and Practices, Mark G. Graff and Kenneth R. van Wyk, O'Reilly - ISBN 0-59-600242-4
- 19 Deadly Sins of Software Security, Michael Howard, David LeBlanc, John Viega, McGraw-Hill Osborne Media - ISBN 0-07-226085-8