US Agency Sharpens Tool for Protecting Software Code
"The area of static code analysis for security can be complex, and companies must consider the accuracy and comprehensiveness of such a tool against other options," noted Michael Coates, chairman of the OWASP board. "The SAMATE Reference Dataset can serve as a benchmark for companies to compare and contrast a variety of tools against a common baseline."
Software programmers work hard to produce secure, error-free code. Of course, bad things can happen -- but really, with increasingly diligent effort, how many things can go wrong? Quite a few, according to the National Institute of Standards and Technology (NIST).
Because cybersecurity is a national goal affecting both the private and public sector, NIST and the Department of Homeland Security (DHS) are involved in a joint program to protect the development and use of software.
NIST has just released an enhanced tool that is designed to help programmers check for errors in software development that can cause costly operational problems. The tool also offers increased protection against hackers.
Researchers at the agency have dramatically enlarged a database that helps programmers detect flaws in software. The purpose of the reference resource is to provide researchers, developers and end users with a database of both known software security errors and fixes for these flaws. The newly released SAMATE Reference Dataset (SRD), version 4.0, is freely available online and can be used for both proprietary and open source applications, including Linux.
A Wide Range of Vulnerabilities
Complex software configurations such as those used for operating systems or Web browsers usually require multiple programmers to write up to millions of lines of computer code. The code has to be checked for operational and security vulnerabilities and errors through the use of static analyzers. But the analyzers can find only the weaknesses they have been programmed to find.
The SRD 4.0 tool has vastly increased the field of potential weaknesses that need to be checked. The NIST release now covers 175 broad categories of weaknesses -- an addition of 100 categories from the existing level.
"Within those broad categories there are numerous specific instances -- or cases -- of code errors, which we estimate now at about 60,000," Paul E. Black, Ph.D., the NIST lead for the SAMATE project, told CRM Buyer.
Prior to the issuance of the 4.0 version of NIST's tool, the earlier version covered only 2,000 cases. Each specific case is about a page of computer code showing a problematic way of composing functions, loops, or logic operations written in languages such as Java, C and C++. The dataset is fully searchable by language, type of weakness and code construct. Search results are available in a downloadable Zip file.
SAMATE refers to "Software Assurance Metrics and Tool Evaluation," an NIST project with the goal of minimizing errors in software. These errors are documented and listed within the IT community under a "common weakness enumeration" (CWE) system.
Private Sector Connection
"Use of the SRD 4.0 tool is not limited to any sector. We welcome government, academia and the private sector to fully utilize it. In fact, the private sector can use the SRD to learn what problems should be avoided and to understand how these tools can help improve their software," Black said.
Within the private sector, companies can use the tool directly with their programming staffs, or vendors who offer code security services and products can use it as a benchmark for their offerings, he added.
"The SRD is for companies that build static analyzers, whose use is expanding within the software industry," noted Michael Koo, NIST project leader for SRD.
"It brings rigor into software assurance, so that the public can be more confident that there are fewer dangerous weaknesses in the software they use," he said.
"Any objective framework for evaluating research efforts is valuable," Gwyn Fisher, chief technology officer for Klocwork, told CRM Buyer.
"The ongoing effort by NIST to develop such a framework is very much appreciated by the community and provides a significant benchmark that is vital to any realistic measurement of improvement," he added.
"This program is where government organizations can play a perfect role, in fact, as NIST has done in other research areas over the years. There is no competitive aspect to this, and its very existence is of great value to the research and vendor communities," Fisher said. Klocwork has taken part in NIST-sponsored activities.
"A variety of tools, techniques, processes, and training are needed to create and maintain secure applications," Michael Coates, OWASP (Open Web Application Security Project) board chairman, told CRM Buyer.
"The data provided by SAMATE is another repository of knowledge that can be used for developer education or to help increase the effectiveness of static analysis tools, furthering the ultimate goal of increasing application security," he said.
OWASP is an international open community focused on improving the security of application software. The 1,500-member volunteer organization is supported by a substantial group of academic and corporate organizations including IBM, Symantec, and Salesforce.com.
"The area of static code analysis for security can be complex, and companies must consider the accuracy and comprehensiveness of such a tool against other options. The SAMATE Reference Dataset can serve as a benchmark for companies to compare and contrast a variety of tools against a common baseline," Coates said.
NIST has maintained a working relationship with private industry under the SAMATE project.
"In fact, we have received test suite contributions to our repository from many private sources, including security product vendors, and we have received much valuable input from the private sector in shaping the direction of the SRD and the Static Analysis Tool Exposition," Black said.
NIST plans to continue to improve the tool, and work toward covering more CWE applications.
"We would like to expand into more software languages," said Black, "and even into the software design phase that precedes the composition phase."