The SAMATE Project Department of Homeland Security



DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

We also keep a list of all SAMATE Publications and presentations.



  • CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2012.
Available at 2012 Static Analysis Tool Study Methodology.pdf
  • CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2011.
Available at 2011 Static Analysis Tool Study Methodology.pdf
  • P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing, An approach to Measuring a System's Attack Surface, Carnegie Mellon University, Technical Report CMU-CS-07-146, August 2007.
Available at
  • O. H. Alhazmi, Y. K. Malaiya and I. Ray, Security Vulnerabilities in Software Systems A Quantitative Perspective, Colorado State University, IFIP WG 11.3 Working Conference on Data and Applications Security, 2005, August 2005
  • Joe Schofield, The Statistically Unreliable Nature of Lines of Code, CrossTalk, 18(4):29-33, April 2005.
Available at
  • Brian Chess and Katrina Tsipenyuk, A Metric for Evaluating Static Analysis Tools, MetriCon 1.0, Vancouver, August 2006.

Product Evaluation and Surveys

in reverse chronological order

  • Booz Allen Hamilton, Software Security Assessment Tools Review, March 2009.
Available at
  • Martin Johns, Scanstud - Evaluating static analysis tools, May 2008
Available at
  • R Krishnan, Margaret Nadworny, and Nishil Bharill, Static Analysis for Improving Secure Software Development at Motorola, November 2007
  • Redge Bartholomew, Evaluation of Static Source Code Analyzers for Real-Time Embedded Software Development, November 2007
Available in Proc. Static Analysis Workshop II SASII, Ada Letters, April 2008.
  • Larry Suto, Analyzing the Effectiveness and Coverage of Web Application Security Scanners, October 2007
  • Justin Schuh, Code Scanners: False Sense of Security?, 16 April 2007
  • Peter A. Buxbaum, All for one, but not one for all, GCN, March 18, 2007
Available at
  • Jeff Forristal, Review: Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise Magazine, Dec. 2005.
  • Brian E. Burke, sponsored by Webroot, Securing Enterprise Environments Against Spyware : Benefits of Best-of-Breed Security, November 2005
  • Kendra Kratkiewicz, Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code, Master's thesis, Harvard University, Cambridge, MA, 2005, 285 pages.
Available at
Her test cases can be found on the Cyber Corpora under Diagnostic Test Suite ... suite: BOdiagsuite-20050808.tgz.
  • Freeland Abbott and Joseph Saur, A Comparison of Code Checker Technologies for Software Vulnerability Evaluation, Code Checkers Project Evaluation Report, Joint Systems Integration Command, 25 April 2005
  • Misha Zitser, Richard Lippmann, and Tim Leek, Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code, Proc. FSE-12, ACM SIGSOFT, 2004.
Available at
Their test cases can be found on the Cyber Corpora under Model Programs ... examples: models-2007-11-06.tgz.
  • Defense Information Systems Agency, Application Security Assessment Tool Market Survey, Version 3.0, July 29, 2004.
  • Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java - The 15th IEEE International Symposium on Software Reliability Engineering (ISSRE'04). Saint-Malo, Bretagne, France. November 2004.
Available at (12 pages).
  • John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, proc 10th Network and Distributed System Security Symposium (NDSS'03), February 5-7, 2003, San Diego, California. Pages 149-162.
Available at
  • Ciera Nicole Christopher, Evaluating Static Analysis Frameworks, Carnegie Mellon University, "Analysis of Software Artifacts 17-754", May 10, 2006.
Available at (17 pages).
  • John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Static Intrusion Prevention, proc 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), November 7-8, 2002, Karlstad, Sweden. Pages 68-84.
Available at

Technical Algorithm Papers

alphabetical by author's last name

  • Sagar Chaki and Scott Hissam, Certifying the Absence of Buffer Overflows, Technical Note CMU/SEI-2006-TN-030, September 2006.
    Available at
  • Christoph Csaliner and Yannis Smaragdakis, Check 'n' Crash: Combining Static Checking and Testing, in Proceedings of 27th international conference on software engineering, May 15-21, 2005.
  • David Hovemeyer and William Pugh. Finding Bugs is Easy, in SIGPLAN Notices (Proceedings of Onward! at OOPSLA 2004), December, 2004
    Available at (15 pages).
  • Holger Peine, Rules of Thumb for Secure Software Engineering, in Proceedings of 27th International Conference on Software Engineering (ICSM), May 15-21, 2005.
  • Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahaz, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, 46(2):265-288, April-June 2007.
  • Donald J. Reifer, Protecting Yourself Against Malicious Code in COTS, Systems & Software Technology Conference, 18 - 21 April 2005, Salt Lake City, UT
  • Alexander Ivanov Sotirov, Automatic vulnerability detection static source code analysis, A Master's degree Thesis, 2005
  • David Wagner, Jeffrey Foster, Eric Brewer, Alexander Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, in Proceedings of the Network and Distributed Security Symposium, Feb. 2000.
    Available at

Specific Vulnerabilities

  • Lwin Khin Shar and Hee Beng Kuan Tan, Defeating SQL Injection, IEEE Computer, 46(3), pages 69-77, March 2013.
  • Benjamin A. Kuperman, Carla E. Brodley, Hilmi Ozdoganoglu, T. N. Vijaykumar, and Ankit Jalote, Detection and prevention of stack buffer overflow attacks, CACM, 48(11), pages 50-56, November 2005.
    Available at
  • Robert H. B. Netzer and Barton P. Miller, What Are Race Conditions? Some Issues and Formalization, University of Wisconsin - Madison, 1992.
    Available at

Other Papers


  • Secure Programming with Static Analysis, Brian Chess & Jacob West, Addison-Wesley - ISBN 0-321-42477-8
  • Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith, Addison-Wesley - ISBN 0-32-134998-9
  • Building Secure Software, John Viega & Gary McGraw, Addison-Wesley - ISBN 0-201-72152-X
  • Exploiting Software, How to Break Code, Greg Hoglund & Gary McGraw, Addison-Wesley - ISBN 0-201-78695-8
  • Secure Programming Cookbook for C and C++, John Viega & Matt Messier, O'Reilly - ISBN 0-59-600394-3
  • Buffer Overflow Attacks, Detect, Exploit, Prevent, James C. Foster, Vitaly Osipov, Nish Bhalla, Niels Heinen, SYNGRESS - ISBN 1-93-226667-4
  • Secure Coding in C and C++, Robert C. Seacord, Second Edition, Addison-Wesley, 2013. ISBN-13: 978-0-321-82213-0
  • Secure Coding - Principles and Practices, Mark G. Graff and Kenneth R. van Wyk, O'Reilly - ISBN 0-59-600242-4
  • 19 Deadly Sins of Software Security, Michael Howard, David LeBlanc, John Viega, McGraw-Hill Osborne Media - ISBN 0-07-226085-8