Paul E. Black,
Software Assurance Metrics And Tool Evaluation,
Proceedings of the 2005 International Conf. on Software Engineering
Research and Practice (SERP'05), Hamid R. Arabnia and Hassan Reza eds,
vol II, Las Vegas, Nevada, (June 2005), CSREA.
NIST is starting two ambitious projects to (1) develop a
taxonomy of software security flaws and vulnerabilities, (2) develop a
taxonomy of software assurance (SA) functions and techniques which
detect those flaws, (3) perform and maintain a survey of SA tools
implementing the functions, (4) develop testable specifications of SA
functions and explicit tests, include a standard reference dataset, to
evaluate how closely tools implement the functions, and (5) lead
efforts to develop metrics for the effectiveness of those functions.
The end result is that users will be able to choose a combination of
techniques which best suits their needs and will be able to state how
much confidence they have in software which has been assessed. This
paper details these two projects and presents our justifications and
Get the paper in
DVI (30k) or
This page's URL is /~black/Papers/samateSERPjun05.html
Thu Jun 30 13:34:34 2005
by Paul E. Black
Black's papers or
NIST home page.