The Software SOAR (which I co-authored) has finally been released to the public! This document - whose full name is State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation (Institute for Defense Analyses Paper P-5061, July 2014) - is now available to everyone. It defines and describes the following overall process for selecting and using appropriate analysis tools and techniques for evaluating software for software (security) assurance. In particular, it identifies types of tools and techniques available for evaluating software, as well as the technical objectives those tools and techniques can meet. A key thing that it does is make clear that in most cases you need to use a variety of different tools if you are trying to evaluate software (e.g., to find vulnerabilities).
The easy way to get the document is via the Program Protection and System Security Engineering web page, then scroll to the bottom to look for it (it is co-authored by David A. Wheeler and Rama S. Moorthy). You can jump directly to the Main report of the software SOAR and Appendix E (Software State-of-the-Art Resources (SOAR) Matrix). You can also get the software SOAR report via IDA.
I don’t normally mention things I’ve done at work, but this is publicly available, some people have been waiting for it, and I’ve found that some people have had trouble finding it. For example, the article “Pentagon rates software assurance tools” by David Perera (Politico, 2014-08-19) is about this paper, but it does not tell people how to actually get it. I’m hoping that this announcement will give people a hand.
path: /security | Current Weblog | permanent link to this entry