The SAMATE Project Department of Homeland Security

Tool Survey

From SAMATE


Classes of Tools & Techniques

Here is a list of classes of software security assurance functions classified according to our tool taxonomy. The first group have web pages with comments or notes about the class. The last group in the table don't even have web pages.

ProcessAutomationApproachViewpoint
Assurance Case Tools SWE manage1Mitigate(?)Int
Safer Languages Implementation0PrecludeInt
Design/Modeling Verification Tools Design2/3DetectInt
Source Code Security Analyzers, Byte Code Scanners, Binary Code Scanners (SWEBOK 10 1.9) Test2DetectInt
Web Application Vulnerability Scanners Test/Operation2DetectExt
Intrusion Detectors Operation2DetectInt
Network Scanners Operation2DetectExt
Requirements Verification Tools Requirements2/3DetectInt
Architecture Design Tools Design1PrecludeInt
Dynamic Analysis Tools Test1DetectExt
Web Services Network Scanners Test/Operation2DetectExt
Database Scanning Tools Operation2DetectInt
Anti-Spyware Tools (A system assurance, not software assurance class) Operation2/3Detect/ReactInt
Tool Integration Frameworks Test/Operation2DetectInt
The following don't even have web pages.
Requirements modeling or tracing tools Requirements1/2DetectInt
Use cases Requirements0DetectInt
Constructive Approaches (Correct by construction) Design/ Implementation1/2PrecludeInt
Compiler, error checking Implementation3DetectInt
Compiler, safety enforcing Implementation3PrecludeInt
Configuration management (SWEBOK 10 1.6) Config manage0/2PrecludeInt
Test generators, execution frameworks, test evaluation, test management, performance analysis (SWEBOK 10 1.4) Source code or binary fault injection, fault propagation analysis, fuzz testing (Goertzel 4.1.4.4.4-.9) Test1/2DetectInt
Code review assistants (SWEBOK 10 1.9) Test1DetectInt
Operator training Operation1PrecludeExt
Firewall, Virtual Patch, or Wrapper Operation3MitigateInt
Forensic Security Analysis (Goertzel 4.1.4.4.12) Operation1/2ReactInt
Software engineering management (SWEBOK 10 1.7) SWE manage0/2PrecludeInt
Software engineering process (SWEBOK 10 1.8) SWE process0/2PrecludeInt
Guide to the SWEBOK[8] Chapter 10 lists software engineering methods, divided into three groups.
2.1 Heuristic methods
  • Structured methods
  • Data-oriented methods
  • Object-oriented methods
2.2 Formal methods
  • Specification languages and notations
  • Refinement
  • Verification/proving
2.3 Prototyping methods
  • Prototyping the style
  • Prototyping the target
  • Prototyping evaluation techniques
Insecure.Org's 2006 Top 100 Network Security Tools has several classes of tools mostly for network investigation, including web vulnerability scanners (= Web Application Vulnerability Scanners), vulnerability scanners (= Network Scanners), top 5 intrusion detection systems, password crackers, packet sniffers, wireless tools, top 3 vulnerability exploitation tools, top 4 application-specific scanners, top 4 port scanners, top 3 firewalls, top 4 rootkit detectors, and packet crafters. Some tools are not categorized, but just listed in the Top 100.