SAMATE - Software Assurance Metrics And Tool Evaluation

From SAMATE

Welcome to the NIST SAMATE* project. Introduction to SAMATE has more details.

For us, Software Assurance (SA) covers both the property and the process to achieve it:

[Justifiable] confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle and that the software functions in the intended manner

from CNSS National Information Assurance (IA) Glossary CNSSI-4009, 26 April 2010, page 69.

... the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures

from NASA Software Assurance Standard NASA-STD-8739.8 (see quality assurance (1) in IEEE 610.12)

Content

• The Bugs Framework (BF) precisely defines software weaknesses and organizes them into orthogonal classes, such as Buffer Overflow (BOF), Injection (INJ), and Control of Interaction Frequency (CIF).
• IARPA STONESOUP Phase 3 is available as a virtual machine. IARPA STONESOUP documents are available here. Phase 1 is also available here.
• A new version of Juliet, 1.2, is available in two test suites, one for C/C++ and one for Java. Previous versions are still available in the SARD.
• The Static Analysis Tool Exposition (SATE) V reported at the SATE V workshop, March 2014. We are working on the final report.
• SATE IV reported at the SATE IV workshop, March 2012.
• SATE 2010 reported at the SATE 2010 workshop, October 2010.
• SATE 2009 reported at the SATE 2009 workshop, November 2009.
• SATE 2008 reported at the Static Analysis Workshop, June 2008.
• The Software Assurance Reference Dataset (SARD) is a collection of thousands of test programs with known security flaws. The Test Case Descriptions page describes the content. The Manual explains access.
• Source Code Security Analysis specifications, background, etc.
• Web Application Scanner specifications, background, etc.
• SA Tool Taxonomy
• SAMATE Publications
• Technical Advisory Panel

Join the SAMATE mailing list!

If you wish to participate in the online discussion of SAMATE, including the reference dataset, specifications, SATE, metrics, etc., please email us. If you are already a member, the mailing list web site is https://groups.yahoo.com/neo/groups/samate/info

Short URL to get to this site is https://samate.nist.gov/

We pronounce SAMATE as suh-mate, which rhymes with date.

If you are looking for the (similarly named) Software Engineering Method And Theory (SEMAT) project web site, please visit http://semat.org/.

This web site was created July 2005. This page was updated 2016.