The Software Assurance Metrics and Tool Evaluation Reference Dataset from the National Institute of Standards and Technology helps developers find bugs in their code.
National Institute of Standards and Technology expanded its database of
software flaws to help developers avoid introducing bugs into their code right
from the start.
Software Assurance Metrics and Tool Evaluation (SAMATE) Reference Dataset
contains examples of software issues that could leave applications vulnerable
to attackers. Version 4.0 of SAMATE, released Nov. 22, contains 175 broad
categories of weaknesses with over 60,000 specific cases, more than doubling
the number of categories that were included in the previous release.
was launched in 2004 to improve software assurance by making it easier to
identify and exclude known issues. The database helps developers test software
offerings for known security vulnerabilities before going to market.
brings rigor into software assurance, so that the public can be more confident
that there are fewer dangerous weaknesses in the software they use," said
Michael Koo, project leader at NIST.
vulnerabilities such as SQL injection and cross-site scripting still account
for a majority of security flaws in Web applications, and several hacktivists
operating under the Anonymous banner managed to compromise several high-profile
sites by exploiting those issues this year. SQL injection, classic buffer
overflow and operating system command injection errors were among the top
errors highlighted by the SANS Institute in June in its annual list of the top
25 most dangerous software errors.
experts have long urged software developers and vendors to bake security into
the development lifecycle and scan for common coding errors instead of checking
for potential security issues just before going to market. Security has to be
part of the design, and everyone from the start has to be thinking about
security implications, Marisa Viveros, vice president of IBM Security Services,
weaknesses might be compared to grammatical errors in a page of writing-errors
that inadvertently instruct a computer to do things that leave itself open to
cyber-attack, said NIST. A number of popular programming languages-including
Java, C and C++-are represented. Specific examples of a coding mistake are
listed in the database with a code sample illustrating how a code vulnerability
was created by the way the function was written. The database is fully
searchable by language, type of weakness and specific code samples. Developers
receive the search results as a downloadable .zip file.
"act of checking out software" by making sure it is not vulnerable to
cyber-attack has become "so complicated" that developers rely on a
static analyzer program to help with the checking, NIST said. Static analyzers
run through the code looking for obvious problems, but they can only find the
weaknesses they have been programmed to find. Static analyzer vendors can
include the expanded SAMATE database to have a bigger reference set to search
against, which would catch more errors, according to NIST.
complements other programs with similar goals, such as the Common Weakness
Enumeration and the Common Vulnerabilities and Exposures (CVE) databases
maintained by Mitre. Many companies rely on CVE to identify bugs that it has
patched in its software. SAMATE does not yet cover as many known issues as CVE,
which has close to 500 types.
NIST team plans to improve the dataset by including more errors and support
more programming languages, according to Koo. Future versions will also include
larger code samples, which is currently about a page long. There are also plans
to explore vulnerabilities in large open-source software packages of up to 1
million lines of code and include those issues in the dataset.