Paul E. Black, Software Assurance Metrics And Tool Evaluation, Proceedings of the 2005 International Conf. on Software Engineering Research and Practice (SERP'05), Hamid R. Arabnia and Hassan Reza eds, vol II, Las Vegas, Nevada, (June 2005), CSREA.

    NIST is starting two ambitious projects to (1) develop a taxonomy of software security flaws and vulnerabilities, (2) develop a taxonomy of software assurance (SA) functions and techniques which detect those flaws, (3) perform and maintain a survey of SA tools implementing the functions, (4) develop testable specifications of SA functions and explicit tests, include a standard reference dataset, to evaluate how closely tools implement the functions, and (5) lead efforts to develop metrics for the effectiveness of those functions. The end result is that users will be able to choose a combination of techniques which best suits their needs and will be able to state how much confidence they have in software which has been assessed. This paper details these two projects and presents our justifications and expectations.

Get the paper in DVI (30k) or PDF (72k).

Get presentation slides (115k).

This page's URL is /~black/Papers/samateSERPjun05.html

Updated Thu Jun 30 13:34:34 2005

by Paul E. Black  (

Go to Black's papers or NIST home page.