Web sites and resources
From SAMATE
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
Contents |
Previous SAMATE Workshop Products
Past Workshops have been held at NIST, as well as locations sponsored by other organizations. The products of those workshops include paper and slide presentations, tool test cases and tool specifications.
Good Practices
- Build Security In (BSI). "The SEI (Software Engineering Institute) team is developing and collecting software assurance and software security information that will help software developers, architects, and security practitioners to create secure systems". This project is sponsored by the US Department of Homeland Security (DHS).
- PHP Security Consortium (PHPSC) is an "international group of PHP experts dedicated to promoting secure programming practices within the PHP community".
- CERT's Secure Coding Standards is a broad-based effort which, if followed, prevents many frequent vulnerabilities. The language-independent practices are supplemented by some particular to C and some particular to C++.
- The Cyber Security and Information Systems Information Analysis Center (CSIAC) is a Department of Defense (DoD) Information Analysis Center (IAC) for information, data, analysis, training, and technical assistance in software technology and software engineering in its broadest sense. The CSIAC aims to serve as an authoritative source for state-of-the-art software information providing technical support for the software community. CSIAC consolidates the Data and Analysis Center for Software (DACS) and two other IACs.
Vulnerability Resources
The Open Web Application Security Project (OWASP) is an all-volunteer group that produces free, professional-quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, papers, and message forums. OWASP's Top Ten Web Application Vulnerabilities. The site has a document with more detail. (2 Aug 2011)
Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
Their goal is to protect the United States against cyber attacks. They also have some vulnerability ressources.
The NVD is a searchable index of information on computer vulnerabilities. It provides search capability at a fine granularity and links users to vulnerability and patch information. Formerly known as ICAT.
CVE is a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. This is a community wide effort and free for review. See their Board Members
MITRE's work on shared names of types of vulnerabilities and weaknesses. The CVE (above) seeks a common name for each specific instance, say, SQL injection in sendmail version 5.4. The CWE seeks a common name and definition for each kind of weakness, say buffer overflow, leading to vulnerabilities. The CWE is complemented by other work to quantify the likely severity of a weakness, list attack patterns, enable risk analysis.
This vulnerability database is maintained by the website SecurityFocus.com. This one seems to be very active. The website claims to gather the largest community of security professionals.
A database of security advisories and vulnerabilities. They also have a vulnerability notification service. Also a separate list of Linux advisories and Malware advisories.
This group has produced some papers closely related to our work. They have buffer overflow examples from WU-FTP, BIND, and sendmail available for download.
- Coverity's Open Source Scanning project. Under contract with DHS and in cooperation with Stanford University, Coverity is scanning open source "to uncover some of the most critical types of bugs".
Software Assurance in the SCADA Community
- NIST Process Control Security Requirements Forum
- ISA SP-99 Manufacturing and Control Systems Security
Other Resources
- Our comments on Metrics and Measures for software. What is a "metric" vs. a "measure"? What are useful scales and what are artifacts?
- NIST's Computer Security Resource Center has checklists, guidelines, standards, etc. (19 July 2005)
- Here is Greg Tassey's summary (PDF) of NIST's 2002 report on The Economic Impacts of Inadequate Infrastructure for Software Testing (PDF). The full report has a good overview of software quality attributes, metrics, and testing methods and tools.
- The Federal Computer Security Program Managers' Forum website promotes "the sharing of computer security information among federal agencies."
- The Information Assurance Technical Framework Forum
- Their main purpose is to support the Information Assurance Technical Framework (IATF), which "is a leading source of information on security solutions ..." U.S. government, IS security engineers, vendors, and providers "look to the IATF to provide the guidance and definitive requirements for selecting adequate and appropriate IA technology." The forum meets every 6 weeks in the greater Washington area.
- Other resources are ISO/IEC 15026 System and Software Assurance and the book "Code Complete".
- Rice's theorem proves that any non-trivial software property is undecidable. Really.
- Glossary of Computer Security Terms NCSC-TG-004 at http://www.fas.org/irp/nsa/rainbow/tg004.htm contains definitions of commonly used computer security terms. It was issued by the National Computer Security Center (NCSC) in 1988.