Dramatically reducing software vulnerabilities:  Report to the White House Office of Science and Technology Policy

Black, Paul E.; Badger, Mark L.; Guttman, Barbara; Fong, Elizabeth

doi:10.6028/nist.ir.8151

Cited by 18 publications

(13 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For an overview of formal methods, including suggested techniques and further reading, we refer the reader to Section 2.1 of [23].…”

Section: Model Checkers and Other Lightweight Formal Methodsmentioning

confidence: 99%

Formal methods for statistical software

Black¹

2019

Self Cite

View full text Add to dashboard Cite

Statistical software" encompasses several distinct classes of software. This report explains what formal methods, tools, and approaches may be able to increase assurance of results of using statistical software and implementing differential privacy. To provide context, we present an exemplary process for assured results. The parts are data assurance, algorithm design, software production, correctness proofs, postproduction assurance of software, and result checking. We note a workshop we organized to support this paper and finish with recommended formal methods, tools, and researchers doing particularly pertinent work.

show abstract

“…For an overview of formal methods, including suggested techniques and further reading, we refer the reader to Section 2.1 of [23].…”

Section: Model Checkers and Other Lightweight Formal Methodsmentioning

confidence: 99%

Formal methods for statistical software

Black¹

2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…This document defines an app vetting process and provides guidance on (1) planning and implementing an app vetting process, (2) developing security requirements for mobile apps, (3) identifying appropriate tools for testing mobile apps and (4) determining if a mobile app is acceptable for deployment on an organization's mobile devices. An overview of techniques commonly used by software assurance professionals is provided, including methods of testing for discrete software vulnerabilities and misconfigurations related to mobile app software.…”

Section: Purposementioning

confidence: 99%

“…Software assurance activities for a mobile application may occur in one or more phases of the mobile application lifecycle: (1) during the development of the app by its developer (i.e., the app development phase), (2) after receiving a developed app but prior to its deployment by the enduser organization (i.e., the app acquisition phase) or (3) during deployment of the app by the enduser organization (i.e., the app deployment phase). These three phases of the mobile application lifecycle are shown in Figure 1.…”

Section: Scopementioning

confidence: 99%

“…Through everincreasing functionality, ubiquitous connectivity and faster access to mission-critical information, mobile apps continue to provide unprecedented support for facilitating organizational objectives. Despite their utility, these apps can pose serious security risks to an organization and its users due to vulnerabilities that may exist within their software 1 .Such vulnerabilities may be exploited to steal information, control a user's device, deplete hardware resources, or result in unexpected app or device behavior.…”

Section: Introductionmentioning

confidence: 99%

“…A vulnerability is defined as one or more weaknesses that can be accidentally triggered or intentionally exploited and result in a violation of desired system properties[1] …”

mentioning

confidence: 99%

See 2 more Smart Citations

Vetting the security of mobile applications

Quirolgico¹,

Voas²,

Karygiannis³

et al. 2019

View full text Add to dashboard Cite

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

show abstract