Reducing Software Security Risk through an Integrated Approach

This paper discusses new joint work by the California Institute of Technology’s Jet Propulsion Laboratory and the University of California at Davis sponsored by the National Aeronautics and Space Administration to develop a security assessment instrument for the sojiware development and maintenance life cycle. The assessment instrument is a collection of tools and procedures to support development of secure sojiware. The toolset initially will have a Vulnerability Matrix (VMatrix) with severity, flequency, platford application, and signatureBela3 in a database keyed on the Computer Vulnerability Enumeration (CVE) number. The toolset also will include a property-based testing tool to slice sojiware code looking for specific vulnerabilities using signatures from the VMatrix. A third component of the research underlying this toolset will be an investigation into the verij&ation of sojiware designs for compliance to security properties. This is based on model checking approaches initially researched together with analytical verijkation of formal specification.