Source Code Analysis Laboratory (SCALe)

Abstract : The Source Code Analysis Laboratory (SCALe) is a proof-of-concept demonstration that software systems can be conformance tested against secure coding standards. CERT' secure coding standards provide a detailed enumeration of coding errors that have resulted in vulnerabilities for commonly used software development languages. The SCALe team at the CERT Program, part of Carnegie Mellon University's Software Engineering Institute, analyzes a developer's source code and provides a detailed report of findings to guide the code's repair. After the developer has addressed these findings and the SCALe team determines that the product version conforms to the standard, the CERT Program issues the developer a certificate and lists the system in a registry of conforming systems. This report details the SCALe process and provides an analysis of selected software systems.

[1]  E Hicham,et al.  Failure Mode and Effects Analysis (FMEA) , 2007 .

[2]  Robert C. Seacord,et al.  Secure Coding in C and C++ (SEI Series in Software Engineering) , 2013 .

[3]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[4]  Grace A. Lewis,et al.  Modernizing Legacy Systems - Software Technologies, Engineering Processes, and Business Practices , 2003, SEI series in software engineering.

[5]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[6]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[7]  Alexander von Eye,et al.  Analyzing Rater Agreement: Manifest Variable Methods , 2004 .

[8]  Kenneth S. Stephens,et al.  The Handbook Of Applied Acceptance Sampling: Plans, Procedures And Principles , 2001 .

[9]  Vadim Okun,et al.  Static Analysis Tool Exposition (SATE) 2008 | NIST , 2009 .

[10]  Timothy Wilson,et al.  As-If Infinitely Ranged Integer Model , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[11]  Robert C. Seacord,et al.  The Cert Oracle Secure Coding Standard for Java , 2011 .

[12]  Thomas Plum,et al.  Eliminating Buffer Overflows , Using the Compiler or a Standalone Tool , 2005 .

[13]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[14]  Robert C. Seacord The CERT C Secure Coding Standard , 2008 .

[15]  Aurelien Delaitre,et al.  The Second Static Analysis Tool Exposition (SATE) 2009 , 2010 .

[16]  Pascal Meunier,et al.  Can source code auditing software identify common vulnerabilities and be used to evaluate software security? , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.