DOCSLIB.ORG

Proceedings of Defining the State of the Art in Software Security Tools Workshop

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Proceedings of Defining the State of the Art in Software Security Tools Workshop NIST Special Publication 500-264 Proceedings of Defining the State of the Art in Software Security Tools Workshop Paul E. Black (workshop chair) Elizabeth Fong (editor) Information Technology Laboratory National Institute of Standards & Technology Gaithersburg MD 20899 September 2005 U.S. Department of Commerce Carlos M. Gutierrez. Secretary Technology Administration Phillip Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director Disclaimer: Any commercial product mentioned is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Defining the State of the Art in Software Security Tools (SoftSecTools’05 Proceedings) ISBN # 1-59593-179-1/05/08 2 Proceedings of Defining the State of the Art in Software Security Tools Workshop Paul E. Black (workshop chair) Elizabeth Fong (editor) Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 ABSTRACT This proceeding is the result of a workshop held on August 10 and 11, 2005 hosted by the Software Diagnostics and Conformance Testing Division, Information Technology Laboratory, at the National Institute of Standards and Technology. The workshop, “Defining the State of the Art in Software Security Tools,” is one of a series in the NIST Software Assurance Measurement and Tool Evaluation (SAMATE) project, which is partially funded by DHS to help identify and enhance software security assurance (SSA) tools. The goal of this workshop is to understand the state of the art of SSA tools that detect security flaws and vulnerabilities and develop a standard reference dataset of programs with known flaws. Forty-five people from outside NIST attended, including representatives from the federal government (NSF, FDA, NSA, DoD, and DHS), seven universities, more than a dozen tool vendors and service providers, and many research companies. Keywords: Software assessment tools; software assurance; software metrics; software security; reference dataset; vulnerability 3 Foreword The workshop on “Defining the State of the Art in Software Security Tools” was held 10- 11 August 2005 at the National Institute of Standards and Technology in Gaithersburg, Maryland. Forty-five people from outside NIST attended, including people from government, universities, tool vendors and service providers, and research companies. For this workshop, members of the workshop committee introduced each session with a brief orientation, then led a discussion among the attendees. The discussions ranged from whether tools and services are commercially viable to if there was enough academic interest and research to how best to encourage more secure software (in both sense) to be developed. The goals of this workshop were to • move toward a shared taxonomy of software security flaws and vulnerabilities, • outline a shared taxonomy of software security assurance (SSA) functions, • understand the state of the art of SSA tools embodying those functions, • discuss possible metrics to evaluate the effectiveness of SSA tools, and • find, collect, and develop a set of flawed and "clean" software to be a standard reference dataset. Several groups that have been developing taxonomies of security flaws and vulnerabilities exchanged notes and agreed to work together to develop standard nomenclature. Many volunteered to help work toward a standard reference dataset. These proceedings have five main parts: • introduction, agenda, etc., • position statements and background information from participants, • discussion material developed by NIST employees, • extensive notes of the discussions, including the orientations, and • other material submitted by participants. Position statements precede the associated participant's background material (the Think- Tank approach) so you can consider the position statement first, discover the source, then reconsider the statement, if warranted. We thank those who worked to organize this workshop, particularly Elizabeth Fong, who handled much of the correspondence. We are grateful to NIST, especially the Software Diagnostics and Conformance Testing division, for providing the facilities and organizers' time. Special thanks go to Dr. William Spees, FDA, for a very thorough review of the minutes. On behalf of the program committee and the whole SAMATE team, thanks to everyone for taking their time and resources to join us. Dr. Paul E. Black 4 Table of Contents Summary....................................................................................................... 6 Workshop Announcement ........................................................................ 7 Workshop Agenda ...................................................................................... 9 Attendees .................................................................................................... 10 Position Statements and Background Information............................ 13 Discussion Material.................................................................................. 46 Survey of SA Tools by Categories................................................................................ 46 The State of the Art in SA Tools and their Functions................................................... 50 Classes of Software Security Flaws and Vulnerabilities .............................................. 52 Possible Metrics to Evaluate SA Security Tools .......................................................... 58 Reference Dataset ......................................................................................................... 60 Workshop Minutes ................................................................................... 63 Welcome (Shashi Phoha).............................................................................................. 63 Scope and Introduction (Paul Black) ............................................................................ 64 Tools Survey and Categorization (Elizabeth Fong)...................................................... 67 Taxonomy of Software Assurance Functions (Michael Kass) ..................................... 71 Recommended Best Practices, or, State of the Art in SA Tools (Brad Martin) ........... 75 Software Assurance Vulnerability List &Taxonomy (Mike Koo) ............................... 79 Security metrics for Software and Tools (Paul Black) ................................................. 83 Reference Dataset (Mike Sindelar)............................................................................... 85 Next Step(s) (Paul Black) ............................................................................................. 89 Develop Consensus on Workshop Report (Paul Black) ............................................... 90 Conclusions................................................................................................................... 93 Submitted Material ....................................................................................... 94 Michael Zhivich, Tim Leek, & Richard Lippmann, “Dynamic Buffer Overflow Detection.” Kendra Kratkiewicz & Richard Lippmann, “Using a Diagnostic Corpus of C Programs to Evaluate Buffer Overflow Detection by Static Analysis Tools.” Thomas W. Reps, Tim Teitelbaum, Paul Anderson, & David Melski, “Static Analysis of Binary Executable Code.” 5 Summary This is the proceeding of the workshop on Defining the State of the Art in Software Security Tools held on August 10 and 11, 2005. It was hosted by the Software Diagnostics and Conformance Testing Division, Information Technology Laboratory, at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD, USA. The workshop is one of a series in the NIST Software Assurance Measurement and Tool Evaluation (SAMATE) project, home page http://samate.nist.gov/ Before the workshop the SAMATE team posted discussion material. The workshop consisted of eight sessions: - Tools survey and categorization - Taxonomy of software assurance functions - Recommended best practices, or, state of the art in software assurance tools - Software assurance (SA) vulnerability list and taxonomy - Software assurance (SA) tool metrics - Reference dataset - Next steps - Develop consensus of workshop report Each session had a facilitator who presented orientation material. The pre-workshop discussion material, orientation material for each session, and workshop minutes are included in these proceedings. Here are summaries of the discussions: - The scope of the tools surveyed was too narrowly focused on just security coding tools and needs to expand to assurance tools which are used in the requirements and design phase of software development life cycle. - In the session on software assurance functions, discussions centered around the fact the tools do not do the same thing and it is difficult to compare tools. However, most agreed that a specification of tool functions (e.g., detecting buffer overflow) is useful. - The state of the art of software assurance tools was considered not mature due to lack of knowledge in education and lack of research in how to produce secure software. - A taxonomy of vulnerabilities is important, however, it will be difficult to achieve “a taxonomy” with properties that everyone will agree on. - Software metrics and tool metrics are difficult areas and more research is required to develop a set of attributes for measurements.
Load more

Recommended publications
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • The Javascript Revolution
    Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Shockers: Scribble & Fortuna Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna Congrats on sneaky strategizing
    [Show full text]
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • Software Assurance
    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
    [Show full text]
  • Testing Database Engines Via Pivoted Query Synthesis Manuel Rigger and Zhendong Su, ETH Zurich
    Testing Database Engines via Pivoted Query Synthesis Manuel Rigger and Zhendong Su, ETH Zurich https://www.usenix.org/conference/osdi20/presentation/rigger This paper is included in the Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation November 4–6, 2020 978-1-939133-19-9 Open access to the Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX Testing Database Engines via Pivoted Query Synthesis Manuel Rigger Zhendong Su Department of Computer Science, ETH Zurich Abstract query on multiple DBMSs, which the author implemented in a tool RAGS [46]. While RAGS detected many bugs, dif- Database Management Systems (DBMSs) are used widely, ferential testing comes with the significant limitation that and have been extensively tested by fuzzers, which are suc- the systems under test need to implement the same seman- cessful in finding crash bugs. However, approaches to finding tics for a given input. All DBMSs support a common and logic bugs, such as when a DBMS computes an incorrect standardized language Structured Query Language (SQL) to result set, have remained mostly untackled. To this end, we create, access, and modify data [8]. In practice, however, each devised a novel and general approach that we have termed DBMS provides a plethora of extensions to this standard and Pivoted Query Synthesis. The core idea of this approach is to deviates from it in other parts (e.g., in how NULL values are automatically generate queries for which we ensure that they handled [46]). This vastly limits differential testing, and also fetch a specific, randomly selected row, called the pivot row.
    [Show full text]
  • RIT Computer Engineering Cluster the RIT Computer Engineering
    RIT Computer Engineering Cluster The RIT Computer Engineering cluster contains 17 computers for parallel programming using MPI. One computer, segfault.ce.rit.edu (or cluster.ce.rit.edu), serves as the master controller or head node for the cluster and is accessible from the Internet. The other 16 machines, named a, b, and so on through p, are attached to a private LAN segment and are visible only to each other and the cluster head node. To connect to the cluster, simply use a SSH or SFTP client to connect to: <username>@segfault.ce.rit.edu or <username>@cluster.ce.rit.edu segfault (AKA cluster) only supports secure connections using SSH and SFTP; normal Telnet and FTP protocols simply won’t work. Once you’re inside the cluster, however, you may telnet or rlogin to any machine on the cluster at your convenience. SSH Clients Putty, a very small and extremely powerful SSH client, is available from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ or from the mirror sight: http://www.putty.nl/ This SSH client supports X11 forwarding, so if you use an XWindow emulator such as Exceed or ReflectionX, you may open graphical applications remotely over the SSH connection. The website also includes a command line secure FTP client. The San Diego Supercomputer Center has a graphical SFTP program available at: http://security.sdsc.edu/software/secureftp/ This program, however, requires Sun’s most recent JDK as an installation prerequisite. Using Message Passing Interface on the RIT Computer Engineering Cluster MPI is designed to run Single Program Multiple Data (SPMD) parallel programs on homogenous cluster or supercomputer systems.
    [Show full text]
  • Security Versus Security: Balancing Encryption, Privacy, and National Secuirty
    SECURITY VERSUS SECURITY: BALANCING ENCRYPTION, PRIVACY, AND NATIONAL SECUIRTY Jackson Stein (TC 660H or TC 359T) Plan II Honors Program The University of Texas at Austin 05/04/2017 __________________________________________ Robert Chesney Director of Robert Strauss Center Supervising Professor __________________________________________ Mark Sainsbury Department of Philosophy Second Reader ABSTRACT Author: Jackson Stein Title: Security vs. Security: Balancing Encryption, Data Privacy, and Security Supervising Professors: Robert Chesney, Mark Sainsbury This paper analyzes the current debate over encryption policy. Through careful evaluation of possible solutions to ‘going dark’ as well has weighting the costs and benefits of each solution, we found exceptional access to information more harmful than helpful. Today, there seems to be no singular leading answer to the going dark problem. Exceptional access to data and communications is a simple solution for a simple problem, however going dark is very complex, and requires a multifaceted and refined solutions. Widespread encryption forces those listening—whether it is the NSA, FBI, foreign governments, criminals or terrorist—to be much more targeted. As for the going dark metaphor, it seems as though we are not entirely “going dark”, and yet we are not completely bright either. There are dark and bright spots coming and going across the technological landscape battling in a perpetual technological arms race. The findings of this paper, ultimately determine there to be no policy that doesn’t come without some cost. That said, there are a number of ways in which law enforcement can track criminals and terrorist without weakening encryption, which we determine to be the best direction in any win lose situation.
    [Show full text]
  • Hacking the Abacus: an Undergraduate Guide to Programming Weird Machines
    Hacking the Abacus: An Undergraduate Guide to Programming Weird Machines by Michael E. Locasto and Sergey Bratus version 1.0 c 2008-2014 Michael E. Locasto and Sergey Bratus All rights reserved. i WHEN I HEARD THE LEARN’D ASTRONOMER; WHEN THE PROOFS, THE FIGURES, WERE RANGED IN COLUMNS BEFORE ME; WHEN I WAS SHOWN THE CHARTS AND THE DIAGRAMS, TO ADD, DIVIDE, AND MEASURE THEM; WHEN I, SITTING, HEARD THE ASTRONOMER, WHERE HE LECTURED WITH MUCH APPLAUSE IN THE LECTURE–ROOM, HOW SOON, UNACCOUNTABLE,I BECAME TIRED AND SICK; TILL RISING AND GLIDING OUT,I WANDER’D OFF BY MYSELF, IN THE MYSTICAL MOIST NIGHT–AIR, AND FROM TIME TO TIME, LOOK’D UP IN PERFECT SILENCE AT THE STARS. When I heard the Learn’d Astronomer, from “Leaves of Grass”, by Walt Whitman. ii Contents I Overview 1 1 Introduction 5 1.1 Target Audience . 5 1.2 The “Hacker Curriculum” . 6 1.2.1 A Definition of “Hacking” . 6 1.2.2 Trust . 6 1.3 Structure of the Book . 7 1.4 Chapter Organization . 7 1.5 Stuff You Should Know . 8 1.5.1 General Motivation About SISMAT . 8 1.5.2 Security Mindset . 9 1.5.3 Driving a Command Line . 10 II Exercises 11 2 Ethics 13 2.1 Background . 14 2.1.1 Capt. Oates . 14 2.2 Moral Philosophies . 14 2.3 Reading . 14 2.4 Ethical Scenarios for Discussion . 15 2.5 Lab 1: Warmup . 16 2.5.1 Downloading Music . 16 2.5.2 Shoulder-surfing . 16 2.5.3 Not Obeying EULA Provisions .
    [Show full text]
  • VSC HPC Tutorial for Ugent Windows Users
    VLAAMS SUPERCOMPUTER Innovative Computing CENTRUM for A Smarter Flanders HPC Tutorial Last updated: September 29 2021 For Windows Users Authors: Franky Backeljauw5, Stefan Becuwe5, Geert Jan Bex3, Geert Borstlap5, Jasper Devreker2, Stijn De Weirdt2, Andy Georges2, Balázs Hajgató1,2, Kenneth Hoste2, Kurt Lust5, Samuel Moors1, Ward Poelmans1, Mag Selwa4, Álvaro Simón García2, Bert Tijskens5, Jens Timmerman2, Kenneth Waegeman2, Toon Willems2 Acknowledgement: VSCentrum.be 1Free University of Brussels 2Ghent University 3Hasselt University 4KU Leuven 5University of Antwerp 1 Audience: This HPC Tutorial is designed for researchers at the UGent and affiliated institutes who are in need of computational power (computer resources) and wish to explore and use the High Performance Computing (HPC) core facilities of the Flemish Supercomputing Centre (VSC) to execute their computationally intensive tasks. The audience may be completely unaware of the HPC concepts but must have some basic un- derstanding of computers and computer programming. Contents: This Beginners Part of this tutorial gives answers to the typical questions that a new HPC user has. The aim is to learn how to make use of the HPC. Beginners Part Questions chapter title What is a HPC exactly? 1 Introduction to HPC Can it solve my computational needs? How to get an account? 2 Getting an HPC Account How do I connect to the HPC and trans- 3 Connecting to the HPC infrastructure fer my files and programs? How to start background jobs? 4 Running batch jobs How to start jobs with user interaction? 5 Running interactive jobs Where do the input and output go? 6 Running jobs with input/output data Where to collect my results? Can I speed up my program by explor- 7 Multi core jobs/Parallel Computing ing parallel programming techniques? How do I use the HPC-UGent web por- 8 Using the HPC-UGent web portal tal? How do I get information about com- 9 XDMoD portal pleted jobs, used storage, etc.
    [Show full text]
  • Supreme Court of the United States
    No. 19-783 IN THE Supreme Court of the United States NATHAN VAN BUREN, Petitioner, v. UNITED STATES, Respondent. ON WRIT OF CERTIORARI TO THE UNITED STATES CouRT OF APPEALS FOR THE ELEVENTH CIRcuIT BRIEF OF AMICI CURIAE COMPUTER SECURITY RESEARCHERS, ELECTRONIC FRONTIER FOUNDATION, CENTER FOR DEMOCRACY & TECHNOLOGY, BUGCROWD, RAPID7, SCYTHE, AND TENABLE IN SUPPORT OF PETITIONER ANDREW CROCKER Counsel of Record NAOMI GILENS ELECTRONic FRONTIER FOUNDATION 815 Eddy Street San Francisco, California 94109 (415) 436-9333 [email protected] Counsel for Amici Curiae 296514 A (800) 274-3321 • (800) 359-6859 i TABLE OF CONTENTS Page TABLE OF CONTENTS..........................i TABLE OF CITED AUTHORITIES ..............iii INTEREST OF AMICI CURIAE ..................1 SUMMARY OF ARGUMENT .....................4 ARGUMENT....................................5 I. The Work of the Computer Security Research Community Is Vital to the Public Interest...................................5 A. Computer Security Benefits from the Involvement of Independent Researchers ...........................5 B. Security Researchers Have Made Important Contributions to the Public Interest by Identifying Security Threats in Essential Infrastructure, Voting Systems, Medical Devices, Vehicle Software, and More ...................10 II. The Broad Interpretation of the CFAA Adopted by the Eleventh Circuit Chills Valuable Security Research. ................16 ii Table of Contents Page A. The Eleventh Circuit’s Interpretation of the CFAA Would Extend to Violations of Website Terms of Service and Other Written Restrictions on Computer Use. .................................16 B. Standard Computer Security Research Methods Can Violate Written Access Restrictions...........................18 C. The Broad Interpretation of the CFAA Discourages Researchers from Pursuing and Disclosing Security Flaws ...............................22 D. Voluntary Disclosure Guidelines and Industry-Sponsored Bug Bounty Programs A re Not Sufficient to Mitigate the Chill .
    [Show full text]
  • Security Vulnerabilities of the Top Ten Programming Languages: C, Java, C++, Objective-C, C#, PHP, Visual Basic, Python, Perl, and Ruby
    Journal of Technology Research Security vulnerabilities of the top ten programming languages: C, Java, C++, Objective-C, C#, PHP, Visual Basic, Python, Perl, and Ruby Stephen Turner Known-Quantity.com, part of Turner & Associates, Inc. ABSTRACT Programming languages are like genetics, in that there are a few ancestors with common traits that have proliferated. These can be traced back over time. This paper will explore the common traits between the top ten programming languages, which runs almost 80 percent of all of software used today. These common traits are both good and bad. In programming, the bad traits equate to security vulnerabilities that are often exploited by hackers. Many programmers are not aware of these flaws and do not take the time to take corrective action as they build software applications. They cannot simply fix the problems at the end; they must continually adjust how they program throughout the process. This paper will also provide guidance on what can be done to make computing environments more secure. Chief information officers (CIOs) have a responsibility to oversee all aspects of software development, and should consider assigning a project manager familiar with the security challenges inherent with a particular programming language. A CIO should also sign-off at every stage, starting with system conceptualization, system requirements of the system, analysis of benefits, and scope of project. The business and system analyses are critical and must include security parameters for programmers in software requirement specifications. Once the planning and design stages are approved, unit development, software and system integration, followed by testing and retesting, are essential.
    [Show full text]
  • Jargon File, Version 4.0.0, 24 Jul 1996
    JARGON FILE, VERSION 4.0.0, 24 JUL 1996 This is the Jargon File, a comprehensive compendium of hacker slang illuminating many aspects of hackish tradition, folklore, and humor. This document (the Jargon File) is in the public domain, to be freely used, shared, and modified. There are (by intention) no legal restraints on what you can do with it, but there are traditions about its proper use to which many hackers are quite strongly attached. Please extend the courtesy of proper citation when you quote the File, ideally with a version number, as it will change and grow over time. (Examples of appropriate citation form: "Jargon File 4.0.0" or "The on-line hacker Jargon File, version 4.0.0, 24 JUL 1996".) The Jargon File is a common heritage of the hacker culture. Over the years a number of individuals have volunteered considerable time to maintaining the File and been recognized by the net at large as editors of it. Editorial responsibilities include: to collate contributions and suggestions from others; to seek out corroborating information; to cross-reference related entries; to keep the file in a consistent format; and to announce and distribute updated versions periodically. Current volunteer editors include: Eric Raymond [email protected] Although there is no requirement that you do so, it is considered good form to check with an editor before quoting the File in a published work or commercial product. We may have additional information that would be helpful to you and can assist you in framing your quote to reflect not only the letter of the File but its spirit as well.
    [Show full text]