Software must be developed to have high quality: quality cannot be "tested in". However auditors, certifiers, and others must assess the quality of software they receive. "Black-box" software testing cannot realistically find maliciously implanted Trojan horses or subtle errors which have many preconditions. For maximum reliability and assurance, static analysis must be used in addition to good development and testing. Static analyzers are quite capable and are developing quickly. Yet, developers, auditors, and examiners could use far more capabilities.
The goals of the Static Analysis Tool Exposition (SATE) V are to:
Briefly, participating tool makers run their tools on a set of programs. Researchers led by NIST analyze the tool reports. This workshop is the first chance the public will have to hear SATE V observations and conclusions. For this edition the set of programs includes five large, open-source tools selected for having known (CVE-reported) vulnerabilities and also most of the Juliet test suite, almost 90,000 synthetic test cases in C/C++ and Java. We will also recognize sound analyzers through the SATE V Ockham Sound Analysis Criteria.