Bad and good news about using software assurance tools. (29th April 2016)
- Record Type:
- Journal Article
- Title:
- Bad and good news about using software assurance tools. (29th April 2016)
- Main Title:
- Bad and good news about using software assurance tools
- Authors:
- Kupsch, James A.
Heymann, Elisa
Miller, Barton
Basupalli, Vamshi - Abstract:
- Summary: Software assurance tools – tools that scan the source or binary code of a program to find weaknesses – are the first line of defense in assessing the security of a software project. Even though there are a plethora of such tools available, with multiple tools for almost every programming language, adoption of these tools is spotty at best. And even though different tools have distinct abilities to find different kinds of weaknesses, the use of multiple tools is even less common. And when the tools are used (or attempted to be used), they are often used in ways that reduce their effectiveness. We present a step‐by‐step discussion of how to use a software assurance tool, describing the challenges that can occur in this process. We also present quantitative evidence about the effects that can occur when assurance tools are applied in a simplistic or naive way. We base this presentation on our direct experiences with using a wide variety of assurance tools. We then present the US Department of Homeland Security funded Software Assurance Marketplace (SWAMP), an open facility where users can upload their software to have it automatically and continually assessed by a variety of tools. The goal of the SWAMP is to simplify the task of the programmer in using assurance tools, thereby removing many of the obstacles to their adoption. Copyright © 2016 The Authors. Software: Practice and Experience Published by John Wiley & Sons, Ltd.
- Is Part Of:
- Software, practice & experience. Volume 47:Number 1(2017)
- Journal:
- Software, practice & experience
- Issue:
- Volume 47:Number 1(2017)
- Issue Display:
- Volume 47, Issue 1 (2017)
- Year:
- 2017
- Volume:
- 47
- Issue:
- 1
- Issue Sort Value:
- 2017-0047-0001-0000
- Page Start:
- 143
- Page End:
- 156
- Publication Date:
- 2016-04-29
- Subjects:
- continuous assurance -- static analysis -- software security
Computer software -- Periodicals
Computer programming -- Periodicals
Computer programs -- Periodicals
005.3 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/spe.2401 ↗
- Languages:
- English
- ISSNs:
- 0038-0644
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 8321.453000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 2759.xml