Phase 3 of MITRE's Common Weakness Enumeration (CWE) Compatibility and Effectiveness program allows a customer to understand how effective a software assurance tool is at finding weaknesses and what code complexities it handles. Phase 3 is based on suites of test programs, but gives no criteria about how many programs are needed, their nature, how effectiveness is defined, or other details. We recommend principles in selecting a test suite for CWE effectiveness, and present a basic effectiveness test suite in C for CWE-121 Stack-based Buffer Overflow. For transparency we also document our steps in developing it. Finally, we suggest future work including code complexities.
Proceedings Title: Proc. 6th Latin-American Symposium on Dependable Computing
Conference Dates: April 1-5, 2013
Conference Location: Rio de Janeiro, -1
Conference Title: 6th Latin-American Symposium on Dependable Computing
Pub Type: Conferences
software assurance, common weakness enumeration (CWE), static source code analysis