SAMATE Bibliography

[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]

We also keep a list of all SAMATE Publications and presentations.

Contents

Metrics
Product Evaluation and Surveys
Technical Algorithm Papers
Specific Vulnerabilities
Other Papers
Books

Metrics 

• CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2012.
• CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2011.
• P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing, An Approach to Measuring a System's Attack Surface, Carnegie Mellon University, Technical Report CMU-CS-07-146, August 2007.
• O. H. Alhazmi, Y. K. Malaiya and I. Ray, Security Vulnerabilities in Software Systems A Quantitative Perspective, Colorado State University, IFIP WG 11.3 Working Conference on Data and Applications Security, 2005, August 2005
• Joe Schofield, The Statistically Unreliable Nature of Lines of Code, CrossTalk, 18(4):29-33, April 2005.
• Brian Chess and Katrina Tsipenyuk, A Metric for Evaluating Static Analysis Tools, MetriCon 1.0, Vancouver, August 2006.

Product Evaluation and Surveys 

in reverse chronological order

• Booz Allen Hamilton, Software Security Assessment Tools Review, March 2009.
• Martin Johns, Scanstud - Evaluating static analysis tools, May 2008
• R Krishnan, Margaret Nadworny, and Nishil Bharill, Static Analysis for Improving Secure Software Development at Motorola, November 2007
• Redge Bartholomew, Evaluation of Static Source Code Analyzers for Real-Time Embedded Software Development, November 2007
  Available in Proc. Static Analysis Workshop II SASII, Ada Letters, April 2008.
• Larry Suto, Analyzing the Effectiveness and Coverage of Web Application Security Scanners, October 2007
• Justin Schuh, Code Scanners: False Sense of Security?, 16 April 2007
• Peter A. Buxbaum, All for one, but not one for all, GCN, March 18, 2007
• Jeff Forristal, Review: Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise Magazine, Dec. 2005.
• Brian E. Burke, sponsored by Webroot, Securing Enterprise Environments Against Spyware : Benefits of Best-of-Breed Security, November 2005
• Kendra Kratkiewicz, Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code, Master's thesis, Harvard University, Cambridge, MA, 2005, 285 pages.
• Freeland Abbott and Joseph Saur, A Comparison of Code Checker Technologies for Software Vulnerability Evaluation, Code Checkers Project Evaluation Report, Joint Systems Integration Command, 25 April 2005
• Misha Zitser, Richard Lippmann, and Tim Leek, Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code, Proc. FSE-12, ACM SIGSOFT, 2004. DOI 10.1145/1029894.1029911
• Defense Information Systems Agency, Application Security Assessment Tool Market Survey, Version 3.0, July 29, 2004.
• Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster,  A Comparison of Bug Finding Tools for Java - The 15th IEEE International Symposium on Software Reliability Engineering (ISSRE'04). Saint-Malo, Bretagne, France. November 2004.

• John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, proc 10th Network and Distributed System Security Symposium (NDSS'03), February 5-7, 2003, San Diego, California. Pages 149-162.
• Ciera Nicole Christopher, Evaluating Static Analysis Frameworks, Carnegie Mellon University, "Analysis of Software Artifacts 17-754", May 10, 2006.
• John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Static Intrusion Prevention, proc 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), November 7-8, 2002, Karlstad, Sweden. Pages 68-84.

Technical Algorithm Papers 

alphabetical by author's last name

• Sagar Chaki and Scott Hissam, Certifying the Absence of Buffer Overflows, Technical Note CMU/SEI-2006-TN-030, September 2006. 
• Christoph Csaliner and Yannis Smaragdakis, Check 'n' Crash: Combining Static Checking and Testing, in Proceedings of 27th international conference on software engineering, May 15-21, 2005.
• David Hovemeyer and William Pugh.  Finding Bugs is Easy, in SIGPLAN Notices (Proceedings of Onward! at OOPSLA 2004), December, 2004
• Holger Peine, Rules of Thumb for Secure Software Engineering, in Proceedings of 27th International Conference on Software Engineering (ICSM), May 15-21, 2005.
• Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahaz, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, 46(2):265-288, April-June 2007.
• Donald J. Reifer, Protecting Yourself Against Malicious Code in COTS, Systems & Software Technology Conference, 18 - 21 April 2005, Salt Lake City, UT
• Alexander Ivanov Sotirov, Automatic vulnerability detection static source code analysis, A Master's degree Thesis, 2005
• David Wagner, Jeffrey Foster, Eric Brewer, Alexander Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, in Proceedings of the Network and Distributed Security Symposium, Feb. 2000. 

Specific Vulnerabilities 

• Lwin Khin Shar and Hee Beng Kuan Tan, Defeating SQL Injection, IEEE Computer, 46(3), pages 69-77, March 2013.
• Benjamin A. Kuperman, Carla E. Brodley, Hilmi Ozdoganoglu, T. N. Vijaykumar, and Ankit Jalote, Detection and prevention of stack buffer overflow attacks, CACM, 48(11), pages 50-56, November 2005. 
• Robert H. B. Netzer and Barton P. Miller, What Are Race Conditions? Some Issues and Formalization, University of Wisconsin - Madison, 1992. 

Other Papers 

• Unforgivable Vulnerabilities, Steve Christey, 2007.
• Cyber Security: A Crisis of Prioritization, PITAC, 2005.
• OWASP Development Guide, OWASP, accessed 29 August 2012.
• David A. Wheeler, Secure Programming for Linux and UNIX HOWTO, Version 3.010, March 3, 2003.
• Christian Collberg, Clark Thomborson, and Douglas Low, A Taxonomy of Obfuscating Transformations, Technical Report #148, Department of Computer Sciences, The University of Auckland, July 1997.
• Nancy G. Leveson, High-Pressure Steam Engines and Computer Software, keynote talk , International Conference on Software Engineering, Melbourne, Australia, May 1992. A shortened version appeared in IEEE Computer, October 1994.

Books 

• Secure Programming with Static Analysis, Brian Chess & Jacob West, Addison-Wesley - ISBN 0-321-42477-8
• Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith, Addison-Wesley - ISBN 0-32-134998-9

• IEEE 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology

• Building Secure Software, John Viega & Gary McGraw, Addison-Wesley - ISBN 0-201-72152-X
• Exploiting Software, How to Break Code, Greg Hoglund & Gary McGraw, Addison-Wesley - ISBN 0-201-78695-8
• Secure Programming Cookbook for C and C++, John Viega & Matt Messier, O'Reilly - ISBN 0-59-600394-3
• Buffer Overflow Attacks, Detect, Exploit, Prevent, James C. Foster, Vitaly Osipov, Nish Bhalla, Niels Heinen, SYNGRESS - ISBN 1-93-226667-4
• Secure Coding in C and C++, Robert C. Seacord, Second Edition, Addison-Wesley, 2013. ISBN-13: 978-0-321-82213-0
• Secure Coding - Principles and Practices, Mark G. Graff and Kenneth R. van Wyk, O'Reilly - ISBN 0-59-600242-4
• 19 Deadly Sins of Software Security, Michael Howard, David LeBlanc, John Viega, McGraw-Hill Osborne Media - ISBN 0-07-226085-8