State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016

November, 2016
IDA document: P-8005
FFRDC: Systems and Analyses Center
Type: Documents
Division: Information Technology and Systems Division
E. Kenneth Hong Fong, David A. Wheeler, Amy E. Henninger See more authors
Unintentional and intentionally inserted vulnerabilities in software can provide adversaries with various avenues to reduce system effectiveness, render systems useless, or even use our systems against us. Unfortunately, it can be difficult to determine what types of tools and techniques exist for evaluating software, and where their use is appropriate. This paper is written to enable DoD program managers (PMs), and their staff, to make effective software assurance and software supply chain risk management (SCRM) decisions, particularly when they are developing and executing their program protection plan (PPP). A secondary purpose is to inform DoD policymakers who are developing software policies. This paper describes an overall process for selecting and using appropriate analysis tool/technique types for evaluating software: (1) Select technical objectives based on context; (2) Select tool/technique types to address those technical objectives; (3) Select tools/techniques; (4) Summarize selection as part of a Program Protection Plan (PPP); (5) Apply the tools/techniques and report the results. This paper identifies 59 types of tools and techniques available for analyzing software, along with a mapping between these tool/technique types and technical objectives, to help readers identify and select types of tools and techniques.