A recently published paper by the National Institute of Standards and Technology (NIST), examines software assurance tools as a fundamental resource to improve quality in today’s software applications. It looks at the behavior of one class of software assurance tool: the source code security analyzer. Because many software security weaknesses are introduced at the implementation phase, using a source code security analyzer should help reduce the number of security vulnerabilities in software.
The report – Source Code Security Analysis Tool Functional Specification Version 1.1 (NIST Special Publication 500-268 v1.1) – defines a minimum capability to help software professionals understand how a tool can help meet their software security assurance needs. The example languages studied are C, C++, Java and SPARK. The NIST report identifies the languages’ vulnerabilities. As you would expect, the SPARK language comes out well.
3 Comments
The following related presentation on “Vulnerabilities that cannot occur in SPARK” is really enlightening to understand the full potential of SPARK for security: http://hcss-cps.org/events/black.html
Offtopic: Is there a forum to discuss DO-178B?
No, there is no forum on Open-DO website, although that’s a good idea. Do you have specific questions about DO-178B?