The SAMATE Project Department of Homeland Security

Web sites and resources

From SAMATE


DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

Contents

Previous SAMATE Workshop Products

Past Workshops have been held at NIST, as well as locations sponsored by other organizations. The products of those workshops include paper and slide presentations, tool test cases and tool specifications.

Good Practices

Vulnerability Resources

The Open Web Application Security Project (OWASP) is an all-volunteer group that produces free, professional-quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, papers, and message forums. OWASP's Top Ten Web Application Vulnerabilities. The site has a document with more detail. (2 Aug 2011)

Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

Their goal is to protect the United States against cyber attacks. They also have some vulnerability ressources.

The NVD is a searchable index of information on computer vulnerabilities. It provides search capability at a fine granularity and links users to vulnerability and patch information. Formerly known as ICAT.

CVE is a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. This is a community wide effort and free for review. See their Board Members

MITRE's work on shared names of types of vulnerabilities and weaknesses. The CVE (above) seeks a common name for each specific instance, say, SQL injection in sendmail version 5.4. The CWE seeks a common name and definition for each kind of weakness, say buffer overflow, leading to vulnerabilities. The CWE is complemented by other work to quantify the likely severity of a weakness, list attack patterns, enable risk analysis.

CWE/SANS Top 25 Most Dangerous Programming Errors

This vulnerability database is maintained by the website SecurityFocus.com. This one seems to be very active. The website claims to gather the largest community of security professionals.

A database of security advisories and vulnerabilities. They also have a vulnerability notification service. Also a separate list of Linux advisories and Malware advisories.

This group has produced some papers closely related to our work. They have buffer overflow examples from WU-FTP, BIND, and sendmail available for download.

  • Coverity's Open Source Scanning project. Under contract with DHS and in cooperation with Stanford University, Coverity is scanning open source "to uncover some of the most critical types of bugs".

Software Assurance in the SCADA Community

Other Resources

Their main purpose is to support the Information Assurance Technical Framework (IATF), which "is a leading source of information on security solutions ..." U.S. government, IS security engineers, vendors, and providers "look to the IATF to provide the guidance and definitive requirements for selecting adequate and appropriate IA technology." The forum meets every 6 weeks in the greater Washington area.
  • Other resources are ISO/IEC 15026 System and Software Assurance and the book "Code Complete".
  • Rice's theorem proves that any non-trivial software property is undecidable. Really.
  • Glossary of Computer Security Terms NCSC-TG-004 at http://www.fas.org/irp/nsa/rainbow/tg004.htm contains definitions of commonly used computer security terms. It was issued by the National Computer Security Center (NCSC) in 1988.