DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
Previous SAMATE Workshop Products
Past Workshops have been held at NIST, as well as locations sponsored by other organizations. The products of those workshops include paper and slide presentations, tool test cases and tool specifications.
Good Practices
- Build Security In (BSI). "The SEI (Software Engineering Institute) team is developing and collecting software assurance and software security information that will help software developers, architects, and security practitioners to create secure systems". This project is sponsored by the US Department of Homeland Security (DHS).
- PHP Security Consortium (PHPSC) is an "international group of PHP experts dedicated to promoting secure programming practices within the PHP community".
- CERT's Secure Coding Standards is a broad-based effort which, if followed, prevents many frequent vulnerabilities. The language-independent practices are supplemented by some particular to C and some particular to C++.
- The Cyber Security and Information Systems Information Analysis Center (CSIAC) is a U.S. Department of Defense (DoD) Information Analysis Center (IAC) for information, data, analysis, training, and technical assistance in software technology and software engineering in its broadest sense. The CSIAC aims to serve as an authoritative source for state-of-the-art software information providing technical support for the software community. CSIAC consolidates the Data and Analysis Center for Software (DACS) and two other IACs.
Vulnerability Resources
- OWASP
The Open Web Application Security Project (OWASP) is an all-volunteer group that produces free, professional-quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, papers, and message forums. OWASP's Top Ten Web Application Vulnerabilities. The site has a document with more detail. (2017)
- SEI CERT Division
Established in 1988, it is a division of the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
- US-CERT (sponsored by DHS)
Their goal is to protect the United States against cyber attacks. They also have some vulnerability resources.
- NIST National Vulnerability Database (NVD)
The NVD is a searchable index of information on computer vulnerabilities. It provides search capability at a fine granularity and links users to vulnerability and patch information. Formerly known as ICAT.
- Common Vulnerabilities and Exposures (CVE)
CVE is a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. This is a community wide effort and free for review. See their Board Members
- Common Weakness Enumeration (CWE)
MITRE's work on shared names of types of vulnerabilities and weaknesses. The CVE (above) seeks a common name for each specific instance, say, SQL injection in sendmail version 5.4. The CWE seeks a common name and definition for each kind of weakness, say buffer overflow, leading to vulnerabilities. The CWE is complemented by other work to quantify the likely severity of a weakness, list attack patterns, enable risk analysis.
CWE/SANS Top 25 Most Dangerous Programming Errors
- SecurityFocus Vulnerability Database
This vulnerability database is maintained by the website SecurityFocus.com. This one seems to be very active. The website claims to gather the largest community of security professionals.
- Vupen Security
A database of security advisories and vulnerabilities. They also have a vulnerability notification service. Also a separate list of Linux advisories and Malware advisories.
- Coverity's Open Source Scanning project. Under contract with DHS and in cooperation with Stanford University, Coverity is scanning open source "to uncover some of the most critical types of bugs".
Software Assurance in the SCADA Community
Other Resources
- Our comments on Metrics and Measures for software. What is a "metric" vs. a "measure"? What are useful scales and what are artifacts?
- NIST's Computer Security Resource Center has checklists, guidelines, standards, etc. (19 July 2005)
- Here is Greg Tassey's summary (PDF) of NIST's 2002 report on The Economic Impacts of Inadequate Infrastructure for Software Testing. The full report has a good overview of software quality attributes, metrics, and testing methods and tools.
- Homeland Open Security Technology (HOST)
The program's mission is to investigate open security methods, models and technologies and identify viable and sustainable approaches that support national cyber security objectives. The foundational technology for the purposes of HOST is based on open source software.
- Software Quality Assurance
The Software Quality Assurance project will develop tools, techniques and environments for analyzing software to detect security vulnerabilities associated with our Nation's critical infrastructure and networks. Specifically, this project addresses the presence of internal flaws and vulnerabilities in software and deals with the root of the problem by improving software security. Test environments for these tools will also be built; one such facility is the SoftWare Assurance Market Place (SWAMP), which will develop research infrastructure that can be used by open source and commercial software product developers to test the security functionality of their software using source code analysis techniques to discover and eliminate vulnerabilities from large codebases.
- Other resources are ISO/IEC 15026 System and Software Assurance and the book "Code Complete".
- Rice's theorem proves that any non-trivial software property is undecidable. Really.
- Glossary of Computer Security Terms NCSC-TG-004 at https://fas.org/irp/nsa/rainbow/tg004.htm contains definitions of commonly used computer security terms. It was issued by the National Computer Security Center (NCSC) in 1988.