Who will develop these software facts? Who should approve it? What body grants a digest of software facts? The Software Assurance Consortium, Daniel G. Wolf, volunteered to serve as the home for this effort. How could a person or entity join this effort or make comments? This page will address these questions.
The idea of software facts was first communicated to me by Jeff Williams, Aspect Security in 2005. Dr. William Pugh, University of Maryland, made many valuable suggestions, particularly about cautions or possible bad results from this effort at the SAMATE Technical Advisory Panel meeting, April 2007.
Other material on these pages comes from presentations, discussion, and suggestions. One occasion was "Code Transparency Panel" at the DHS Software Assurance Forum, May 2008, Virginia. Those presenting were:
To learn more about this effort or to get involved, please contact Paul E. Black at the U.S. National Institute of Standards and Technology (NIST).
Dr. Black led another discussion at the DHS Software Assurance Working Group meeting, July 2008, Virginia. We incorporated those ideas and comments in these pages, too.
A 2005 blog by Eric Rescorla criticized an early "mock-up" of the software label that is on the main page.
In August 2008 Vadim Okun suggested "It may be useful to look at types of vulnerabilities as human illnesses and classify the degree of exposure. I think the medical field is a good match, because there it is also hard to get a quantitative measure. For example, "XSS in the program":
Up to the software facts main page
Created Mon Aug 11 09:50:11 2008
by Paul E. Black (paul.black@nist.gov)Updated Thu Feb 28 15:29:44 2013
by Paul E. Black (paul.black@nist.gov)
Information Technology Laboratory,
Software and Systems
Division
PRIVACY/SECURITY
ISSUES •
FOIA •
Disclaimer •
USA.gov
NIST is an agency of the
U.S. Commerce Department
This page's URL is http://hissa.nist.gov/~black/SoftwareFacts/process.html