This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Slides:

Advertisements

Similar presentations

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.

Advertisements

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

Programming Types of Testing.

Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1.2 Language Processing Activities The fundamental language processing activities divided into two parts. 1. Program generation activities 2. Program execution.

Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.

Vulnerability Assessments

Cloud Usability Framework

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Systems Software Operating Systems.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

Planning for SATE V Paul E. Black National Institute of Standards and Technology

Lecturer: Ghadah Aldehim

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

COMPUTER SOFTWARE Section 2 “System Software: Computer System Management ” CHAPTER 4 Lecture-6/ T. Nouf Almujally 1.

A Framework for Automated Web Application Security Evaluation

There are different types of translator. An Interpreter Interpreters translate one instruction at a time from a high level language into machine code every.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

© FPT Software Code Review with VS © FPT Software Agenda What is Code review? Run Code analysis in VS 2012 Configuring Code Analysis rule set.

Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Jump to first page (c) 1999, A. Lakhotia 1 Software engineering? Arun Lakhotia University of Louisiana at Lafayette Po Box Lafayette, LA 70504, USA.

Invitation to Computer Science 5 th Edition Chapter 6 An Introduction to System Software and Virtual Machine s.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Testing Vs. Inspection Research Paper Diala T. Gammoh, Ph.D. Student Dr. Damla Turgut, Ph.D. University of Central Florida, Orlando Florida

Systems Software Operating Systems. What is software? Software is the term that we use for all the programs and data that we use with a computer system.

Sharda University P. K. Mishra (Asst.Prof) Department of Computer Science & Technology Subject Name: Programming Using C Sub Code: CSE-106 Programming.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Software Development. Software Developers Refresher A person or organization that designs software and writes the programs. Software development is the.

IXA 1234 : C++ PROGRAMMING CHAPTER 1. PROGRAMMING LANGUAGE Programming language is a computer program that can solve certain problem / task Keyword: Computer.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.

CSCE 201 Secure Software Development Best Practices.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Steps Identify - what digital content do you have? Select - what portion of that content will be preserved? Store - what issues are there for long term.

Reverse Engineering. Reverse engineering is the general process of analyzing a technology specifically to ascertain how it was designed or how it operates.

SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),

Software Development Introduction

Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.

Outline Announcements: –HW I key online this afternoon –HW II due Friday –Sign up to discuss projects Debugging Testging for correctness.

T EST T OOLS U NIT VI This unit contains the overview of the test tools. Also prerequisites for applying these tools, tools selection and implementation.

What is a software? Computer Software, or just Software, is the collection of computer programs and related data that provide the instructions telling.

LAB: Linguistics Annotated Bibliography – A searchable Portal for Normed Database Information Erin M. Buchanan, Kathrene D. Valentine, Marilee L. Teasley,

Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.

INTRODUCTION TO PROGRAMING System Development Mansoura October 2015.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation Josh Windsor & Dr. Josh Pauli.

Presented by Rob Carver

SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.

Tools for Code Review Static Analysis Handles unfinished code

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap

Introduction to programming

Chapter 18 Maintaining Information Systems

FORMAL SYSTEM DEVELOPMENT METHODOLOGIES

Teaching Computing to GCSE

TRANSLATORS AND IDEs Key Revision Points.

Translators & Facilities of Languages

Data Management: Documentation & Metadata

OWASP Application Security Verification Standard

Presentation transcript:

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October Developing a Reference Dataset to Accurately Evaluate SA Tools Paul E. Black Computer Scientist, NIST

OWASP AppSec DC Outline  Goals for a Reference Dataset  Content and Characteristics  Complications and Considerations  Tour of NIST’s Prototype RDS

OWASP AppSec DC Goals  Provide researchers, developers, and consumers with a set of known bugs, flaws, weaknesses, vulnerabilities.  This allows developers and researchers to test their methods and consumers to evaluate tools.  The reference dataset will encompass a wide variety of vulnerabilities, languages, platforms, etc. from all phases of the software life cycle.  The dataset is a long-term effort needing contributions from many sources.

OWASP AppSec DC How is a Reference Dataset Used?  Researchers  Is a new method “better” than existing methods? Faster? Finds more flaws? Fewer false alarms? Produces more reliable programs? In what instances?  Saves time of assembling test cases  Tool Developers  What flaws should be caught? What problems should be prevented in code?  Suggests direction for new development  End Users  Understand need for better tools and techniques  Save effort and improve thoroughness in evaluation  Confirm utility of methods and tools

OWASP AppSec DC Role in the NIST SAMATE Project  Surveys  Draw from researchers, developers, and users  Taxonomies  Use common taxonomy of flaws  Grouped by common taxonomy of tools and methods  Gaps and research agendas  Helps highlight what is needed  Studies to develop metrics  Well-characterized samples for study  Enable tool evaluations  Standard reference material for use in test plans

OWASP AppSec DC Outline  Goals for a Reference Dataset  Content and Characteristics  Complications and Considerations  Tour of NIST’s Prototype RDS

OWASP AppSec DC What’s in the Reference Dataset?  Samples of designs, source code, binaries, etc. with known flaws and vulnerabilities.  Corresponding samples with the problems fixed.  Metadata to label samples with  Contributor, source for binaries, remediation, etc.,  Location and type of flaw(s), compiler or platform where it occurs etc.,  Drivers, stubs, declarations, etc.,  Input demonstrating flaw, expected results, and  Comments  Test suites consisting of sets of samples

OWASP AppSec DC Characteristics of the Reference Dataset  Metadata for sample is separate from the sample itself.  Samples are “wild” (production), “synthetic” (written to test), and academic (from classes).  Samples are mostly small (10’s of lines), but some are large (1000’s or millions of lines).  Samples are “write-only”, but may be declared obsolete and superceded in test suite.

OWASP AppSec DC Samples for Static vs. Dynamic Analysis  Samples are mostly for static analysis.  Some executable samples, but …  Dynamic analysis is better done in a test bed.  Network applications must have controlled access. network applications.  Dynamic analysis may interfere with running systems.  Need to rebuild corrupted systems.  Hard to run legacy executables on new platforms.  Flawed executables should be auxotrophic: won’t run without a special file, dll, etc. saying Warning: Software has Known Vulnerability

OWASP AppSec DC Public Access  Submit a new sample.  Status is tentative until examined.  Add new “fixed” versions, inputs demonstrating flaw, etc.  Retrieve samples, metadata, and test suites.  Comment on a sample.  Report result of a run of a tool on a sample.

OWASP AppSec DC Outline  Goals for a Reference Dataset  Content and Characteristics  Complications and Considerations  Tour of NIST’s Prototype RDS

OWASP AppSec DC Complications and Considerations  What about new threats, languages, etc.?  Reference dataset will evolve  May be slightly easier to “port” samples than write from scratch  What if developers build to the test?  Use the error sample generator  These tests are only one consideration  How about malicious use, i.e., university for crackers?  These are known flaws  Limit access to high risk flaws?

OWASP AppSec DC Outline  Goals for a Reference Dataset  Content and Characteristics  Complications and Considerations  Tour of NIST’s Prototype RDS

OWASP AppSec DC NIST Prototype Reference Dataset (RDS)  Populating with material from  Fortify Software (80+ samples)  MIT Lincoln Lab (1000+ samples)  NIST (20 samples)  Other possible sources:  OWASP WebGoat  Foundstone HacmeBook and HacmeBank  CVE list of known vulnerabilities  Other tool developers

OWASP AppSec DC Home Page

OWASP AppSec DC Search RDS by Keyword

OWASP AppSec DC Result of Search

OWASP AppSec DC ID 7: gets is never safe for untrusted input

OWASP AppSec DC Code for gets1-bad.c

OWASP AppSec DC Contact to Participate  Paul E. Black Project Leader Software Diagnostics & Conformance Testing Division, Software Quality Group, Information Technology Laboratory, NIST