State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation

Abstract : Unintentional and intentionally inserted vulnerabilities in software can provide adversaries with various avenues to reduce system effectiveness, render systems useless, or even use our systems against us. Unfortunately, it can be difficult to determine what types of tools and techniques exist for evaluating software, and where their use is appropriate. This paper is written to enable DoD program managers (PMs), and their staff, to make effective software assurance and software supply chain risk management (SCRM) decisions, particularly when they are developing and executing their program protection plan (PPP). A secondary purpose is to inform DoD policymakers who are developing software policies. This paper describes a possible overall process for selecting and using appropriate analysis tool/technique types for evaluating software: (1) Select technical objectives based on context; (2) Select tool/technique types to address those technical objectives; (3) Select tools/techniques; (4) Summarize selection as part of a Program Protection Plan (PPP); (5) Apply the tools/techniques and report the results.