Improving vulnerability detection measurement: [test suites and software security assurance]

The Software Assurance Metrics and Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST) has created the Software Assurance Reference Dataset (SARD) to provide researchers and software security assurance tool developers with a set of known security flaws. As part of an empirical evaluation of a runtime monitoring framework, two test suites were executed and monitored, revealing deficiencies which led to a collaboration with the NIST SAMATE team to provide replacements. Test Suites 45 and 46 are analyzed, discussed, and updated to improve accuracy, consistency, preciseness, and automation. Empirical results show metrics such as recall, precision, and F-Measure are all impacted by invalid base assumptions regarding the test suites.

[1]  Romain Gaucher,et al.  Source code security analysis tool test plan version 1.1 , 2011 .

[2]  Babu M. Mehtre,et al.  An overview of vulnerability assessment and penetration testing techniques , 2015, Journal of Computer Virology and Hacking Techniques.

[3]  Watts S. Humphrey,et al.  Software process modeling: principles of entity process models , 1989, ICSE '89.

[4]  Gerald M. Weinberg,et al.  Reviews, Walkthroughs, and Inspections , 1984, IEEE Transactions on Software Engineering.

[5]  Marco Vieira,et al.  Assessing and Comparing Vulnerability Detection Tools for Web Services: Benchmarking Approach and Examples , 2015, IEEE Transactions on Services Computing.

[6]  Alexander Dekhtyar,et al.  Information Retrieval , 2018, Lecture Notes in Computer Science.

[7]  Gabriel Díaz,et al.  Static analysis of source code security: Assessment of tools against SAMATE tests , 2013, Inf. Softw. Technol..

[8]  Wouter Joosen,et al.  Static analysis versus penetration testing: A controlled experiment , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[9]  Michael E. Fagan Design and Code Inspections to Reduce Errors in Program Development , 1976, IBM Syst. J..

[10]  Elizabeth N. Fong,et al.  Source code security analysis tool functional specification version 1.1 , 2011 .

[11]  Elizabeth N. Fong,et al.  Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 , 2008 .

[12]  Yiming Yang,et al.  A re-examination of text categorization methods , 1999, SIGIR '99.

[13]  Elizabeth N. Fong,et al.  NIST SP 500-268, Source Code Security Analysis Tool Function Specification Version 1.1 , 2011 .

[14]  Edward Yourdon,et al.  Structured walkthroughs: 4th edition , 1989 .

[15]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[16]  Miroslaw Malek,et al.  A survey of online failure prediction methods , 2010, CSUR.