Software State-of-the-Art Resources (SOAR) Matrix

The Software State-of-the-Art Resources (SOAR) Matrix defines and describes a process for selecting and using appropriate analysis tools and techniques for evaluating software for software (security) assurance. In particular, it identifies types of tools and techniques available for evaluating software, as well as the following technical objectives those tools and techniques can meet [1]:

Technical objective




fourth level, based on specific weaknesses)

1. Provide design & code quality

General: Failure to adhere

Use of Obsolete Functions

Use of Potentially Dangerous Function

2. Counter known vulnerabilities (CVEs)

3. Ensure authentication and
access control

Authentication Issues

Missing Authentication for Critical Function

Improper Restriction of Excessive Authentication Attempts

Other authentication issues

Credentials Management

Use of Hard-coded Credentials (Not put in maliciously)

Other credential issues

Permissions, Privileges, and Access Control

Missing Authorization {Also - design issue}

Improper/Incorrect Authorization

Permission issues, including incorrect default permissions and incorrect Permission Assignment for Critical Resource

Reliance on Untrusted Inputs in a Security Decision

Other failure to enforce

Least Privilege

Execution with Unnecessary Privileges

Least Privilege violation [in implementation, including grandfathering]

Other privilege/sandbox issues

4. Counter unintentional-"like" weaknesses

Buffer Handling

Buffer Errors

Incorrect Calculation of Buffer Size

Classic Buffer Overflow



Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Code Injection

Unrestricted Upload of File with Dangerous Type

Download of Code Without Integrity Check

Other code injection

Format String Vulnerability

OS Command Injections

SQL Injection

Input Validation

URL Redirection to Untrusted Site ("Open Redirect") [child of CWE-20]

Other input validation

Encryption and Randomness

Cryptographic Issues

Missing Encryption of Sensitive Data

Use of a Broken or Risky Cryptographic Algorithm

Use of Password Hash With Insufficient Computational Effort (incl. Use of a One-Way Hash without a Salt)

Improper Certificate Validation

Other cryptographic issues

Randomness issues

File Handling

Pathname Traversal and Equivalence Errors (including Link Following; note that NVD uses "link following")

Path Traversal


Information Leaks

Information Leak / Disclosure

Number Handling

Numeric Errors

Integer Overflow or Wraparound


Control flow management

Race Conditions

Excessive Iteration

Initialization and Shutdown [of resources/components]

Resource Management Errors

Design Error

Design Error

Inclusion of Functionality from Untrusted Control Sphere

Other design errors

System Element Isolation

Error Handling & Fault isolation

Pointer and reference handling

5. Counter intentional-"like"/ malicious logic

Known malware

Known viruses without polymorphic/metamorphic code

Known viruses with polymorphic/metamorphic code

Known Worms

Known Trojan horses (rootkits, key loggers, etc.)


Not known malware

Time bombs

Logic bombs (condition other than time triggers failure)

Back doors/ trap doors (ways to get in, e.g., ports, fixed *undoc* passwords, etc.)

Embedded malicious logic, e.g., Trojan horse (additional functionality not desired by user)


Unrevealed "Phone home" control (Note: Updates can be used this way, but are not necessarily malicious)

Application collusion (other than covert channels)

Covert channel

Planned/built-in obsolesence not revealed to user/acquirer

6. Provide anti-tamper and ensure transparency


Impede technology transfer (obfuscation)

Impede alteration of system capability

Impede countermeasure development

Ensure transparency (detect obfuscation)

7. Counter development tool inserted weaknesses

Unintentional vulnerability insertion

Malicious code insertion

8. Provide secure delivery

Download of Code Without Integrity Check [at delivery/installation time, vs. execution time]

9. Provide secure configuration

10. Other

Excessive power consumption