Reducing Software Security Risk through an Integrated Approach

This paper discusses new joint work by the California Institute of Technology's Jet Propulsion Laboratory and the University of California at Davis sponsored by the National Aeronautics and Space Administration to develop a security assessment instrument for the software development and maintenance life cycle. The assessment instrument is a collection of tools and procedures to support development of secure software. The toolset initially will have a Vulnerability Matrix (V Matrix) with severity, frequency, platform/application, and signature fields in a database keyed on the Computer Vulnerability Enumeration (CVE) number. The toolset also will include a property-based testing tool to slice software code looking for specific vulnerabilities using signatures from the V Matrix. A third component of the research underlying this toolset will be an investigation into the verification of software designs for compliance to security propef1ies. This is based on model checking approaches initially researched together with analytical verification of formal specification.

[1]  Martin Peschke,et al.  Design and Validation of Computer Protocols , 2003 .

[2]  S. Easterbrook,et al.  Generating Test Oracles via Model Checking , 1997 .

[3]  Antoni Diller,et al.  Z - an introduction to formal methods , 1990 .

[4]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[5]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[6]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[7]  Author $article.title , 2002, Nature.

[8]  Matt Bishop,et al.  Property-based testing: a new approach to testing for assurance , 1997, SOEN.

[9]  Matt Bishop,et al.  Reducing software security risk through an integrated approach , 2000, Proceedings 26th Annual NASA Goddard Software Engineering Workshop.

[10]  M. Bishop Vulnerabilities Analysis , 1967 .

[11]  John C. Kelly,et al.  Development of a software security assessment instrument to reduce software security risk , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.