SAMATE's Contribution to Information Assurance
暂无分享,去创建一个
There is far too much software in today’s information world to check manually. Even if people had the time to inspect thousands or millions of lines of code, nobody could remember all the constraints, requirements, and imperatives to make sure the software is secure. Automated tools are a must. These tools can help design and build the right software in the first place, for instance, checking protocols, consistency with rules, and properties. Preventing flaws at the beginning of the software life cycle is the best way to get high quality and highly reliable software. But what if the system being designed includes commercial, offthe-shelf (COTS) packages? How can a contractor thoroughly audit or check large packages from subcontractors? What kinds of flaws does the current development process leave? Does a new software process yield better quality software? To address these questions, the finished software must be checked. Again, the quantity of software requires automated software checking or at worst manual checking of exceptional instances found by automated means. To be sure, testing is a vital part of assurance, too. If one does not have access to the source code, which is often the case with COTS packages or Web services, testing may be the only feasible way to gain assurance. Even when the source code or the binary are available, testing can be closer to actual use. Testing can catch configuration or system problems that are taken for granted when code is examined. On the other hand, reviews can find problems that are unlikely to be found by testing. For instance, a malicious backdoor that grants special access for a particular user name, say “matahari,” cannot feasibly be found by functional, or black box, testing. Another advantage of automated tools is that they can be updated and rerun relatively quickly when a new type of flaw is discovered or the security policy is changed. It is impractical to recheck everything manually for apparently minor changes in the system.
[1] Gary McGraw,et al. Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..
[2] Keum-Suk Lee,et al. A mobile agent security management , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..