The SAMATE Project Department of Homeland Security

Web sites and resources

From SAMATE


DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

Previous SAMATE Workshop Products

Past Workshops have been held at NIST, as well as locations sponsored by other organizations. The products of those workshops include paper and slide presentations, tool test cases and tool specifications.

Good Practices

  • Build Security In (BSI). "The SEI (Software Engineering Institute) team is developing and collecting software assurance and software security information that will help software developers, architects, and security practitioners to create secure systems". This project is sponsored by the US Department of Homeland Security (DHS).
  • PHP Security Consortium (PHPSC) is an "international group of PHP experts dedicated to promoting secure programming practices within the PHP community".
  • CERT's Secure Coding Standards is a broad-based effort which, if followed, prevents many frequent vulnerabilities. The language-independent practices are supplemented by some particular to C and some particular to C++.
  • The Cyber Security and Information Systems Information Analysis Center (CSIAC) is a U.S. Department of Defense (DoD) Information Analysis Center (IAC) for information, data, analysis, training, and technical assistance in software technology and software engineering in its broadest sense. The CSIAC aims to serve as an authoritative source for state-of-the-art software information providing technical support for the software community. CSIAC consolidates the Data and Analysis Center for Software (DACS) and two other IACs.

Vulnerability Resources

The Open Web Application Security Project (OWASP) is an all-volunteer group that produces free, professional-quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, papers, and message forums. OWASP's Top Ten Web Application Vulnerabilities. The site has a document with more detail. (2 Aug 2011)

Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

Their goal is to protect the United States against cyber attacks. They also have some vulnerability ressources.

The NVD is a searchable index of information on computer vulnerabilities. It provides search capability at a fine granularity and links users to vulnerability and patch information. Formerly known as ICAT.

CVE is a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. This is a community wide effort and free for review. See their Board Members

MITRE's work on shared names of types of vulnerabilities and weaknesses. The CVE (above) seeks a common name for each specific instance, say, SQL injection in sendmail version 5.4. The CWE seeks a common name and definition for each kind of weakness, say buffer overflow, leading to vulnerabilities. The CWE is complemented by other work to quantify the likely severity of a weakness, list attack patterns, enable risk analysis.

CWE/SANS Top 25 Most Dangerous Programming Errors

This vulnerability database is maintained by the website SecurityFocus.com. This one seems to be very active. The website claims to gather the largest community of security professionals.

A database of security advisories and vulnerabilities. They also have a vulnerability notification service. Also a separate list of Linux advisories and Malware advisories.

This group has produced some papers closely related to our work. They have buffer overflow examples from WU-FTP, BIND, and sendmail available for download.

  • Coverity's Open Source Scanning project. Under contract with DHS and in cooperation with Stanford University, Coverity is scanning open source "to uncover some of the most critical types of bugs".

Software Assurance in the SCADA Community

Other Resources

  • Our comments on Metrics and Measures for software. What is a "metric" vs. a "measure"? What are useful scales and what are artifacts?
  • NIST's Computer Security Resource Center has checklists, guidelines, standards, etc. (19 July 2005)
  • Here is Greg Tassey's summary (PDF) of NIST's 2002 report on The Economic Impacts of Inadequate Infrastructure for Software Testing (PDF). The full report has a good overview of software quality attributes, metrics, and testing methods and tools.
  • The Federal Computer Security Program Managers' Forum website promotes "the sharing of computer security information among federal agencies."
  • Homeland Open Security Technology (HOST)
  • The program's mission is to investigate open security methods, models and technologies and identify viable and sustainable approaches that support national cyber security objectives. The foundational technology for the purposes of HOST is based on open source software.
  • Software Quality Assurance
  • The Software Quality Assurance project will develop tools, techniques and environments for analyzing software to detect security vulnerabilities associated with our Nation's critical infrastructure and networks. Specifically, this project addresses the presence of internal flaws and vulnerabilities in software and deals with the root of the problem by improving software security. Test environments for these tools will also be built; one such facility is the SoftWare Assurance Market Place (SWAMP), which will develop research infrastructure that can be used by open source and commercial software product developers to test the security functionality of their software using source code analysis techniques to discover and eliminate vulnerabilities from large codebases.
  • The Information Assurance Technical Framework Forum
  • Their main purpose is to support the Information Assurance Technical Framework (IATF), which "is a leading source of information on security solutions ..." U.S. government, IS security engineers, vendors, and providers "look to the IATF to provide the guidance and definitive requirements for selecting adequate and appropriate IA technology." The forum meets every 6 weeks in the greater Washington area.
  • Other resources are ISO/IEC 15026 System and Software Assurance and the book "Code Complete".
  • Rice's theorem proves that any non-trivial software property is undecidable. Really.
  • Glossary of Computer Security Terms NCSC-TG-004 at http://fas.org/irp/nsa/rainbow/tg004.htm contains definitions of commonly used computer security terms. It was issued by the National Computer Security Center (NCSC) in 1988.