Information Technology News.


NIST asserts that code analysis tools need to be connected together

Share on Twitter.

Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

December 6, 2016

The NIST (National Institute of Standards and Technology) has completed its long-running research into reducing software security vulnerabilities and sent its findings to the internet community.

Bulletin number 8151: Dramatically Reducing Software Security Vulnerabilities, first landed as a draft in July 2016, the final version has been available since Friday.

The document's goal is to look at various approaches new to the software industry, and to seek technical improvements to software development that could have a dramatic effect on software quality.

An instance that comes to mind would be reducing the typical twenty-five errors per 1,000 lines of code by an order of magnitude.

The NIST asserts that this could be achieved in a three-to-seven year timeframe. Math-based tools are needed to verify code operation, the report says, and software developers should modularize their code sufficiently so it doesn't crash just because one component fails.

Some developers already know this is obvious, but just how many security vulnerabilities happen when you crash a process and get to root?

Rather than operating in total isolation, NIST says code analysis tools need to be connected together, something the report refers to as “additive software analysis”.

As noted in the report: “IDEs sometimes do not offer an 'information bus' for tools to share software properties. Each tool must do its own parsing, build its own abstract syntax tree (AST), list variables with their scopes and attributes and 'decorate' an AST with proven facts or invariants.”

“Some tools are built on a common infrastructure, such as LLVM or ROSE, so they share code, but they must still do much of the analysis over again. Additionally, there are few standards that allow one parser to be swapped out for a new parser that runs faster,” NIST asserted.

Again, this may be obvious to most developers, but instead of always using one programming language because it's the one you're familiar with, software development should choose programming languages on a best-for-task basis.

Additionally, software developers should have evolving and changing tactics for protecting code that is the target of cyberattacks, the NIST warns.

Source: The National Institute of Standards and Technology.


Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.