Development of a software security assessment instrument to reduce software security risk

The paper discusses joint work by the California Institute of Technology´s Jet Propulsion Laboratory and the University of California at Davis (CC Davis) sponsored by the National Aeronautics and Space Administration to develop a security assessment instrument for the software development and maintenance life cycle. The assessment instrument is a collection of tools and procedures to support development of secure software. Specifically, the instrument offers a formal approach for engineering network security into software systems and application throughout the software development and maintenance life cycle. The security assessment instrument includes a Vulnerability Matrix (VMatrix) with platform/application, and signature fields in a database. The information in the VMatrix has become the basis for the Database of Vulnerabilities, Exploits, and Signatures (DOVES) at UC Davis. The instrument also includes a set of Security Assessment Tools (SAT), including the development of a property-based testing tool by UC Davis, to slice software code looking for specific vulnerability properties. A third component of the research is an investigation into the verification of software designs for compliance to security properties. This is based on innovative model checking approaches that will facilitate the development and verification of software security models