分类: C/C++
2008-12-16 23:36:08
Name |
Type |
Description |
---|---|---|
academic |
A model checker that targets buffer-overflow vulnerabilities in C code. |
|
open source |
Checks for potentially dangerous function calls in binary executable code. |
|
CodeAssure |
commercial |
General-purpose security scanners for many programming languages. |
|
commercial |
Checks for vulnerabilities and other defects in C and C++. |
|
open source |
Security scanner for Java. |
commercial |
C/C++ bug checker and security scanner. |
|
academic |
C Data-flow analyzer using type/taint analysis. Requires some program annotations. |
|
commercial |
Security scanner for C# and Visual Basic |
|
open source |
Security scanner for C code. |
|
commercial |
General-purpose security scanner for C, C++, and Java. |
|
commercial |
Checks for vulnerabilities and other defects in C, C++, and Java. |
|
freeware |
Checks for potentially dangerous function calls in C code. |
|
commercial |
General purpose control flow analyzer and white box test coverage tool specializing in path analysis. Works with C, C++, C#, Java, Fortran, VB, COBOL, and other languages. |
|
academic |
Checks for vulnerabilities involving sequences of function calls in C code. |
|
commercial |
Security scanner for C/C++ and Java/JSP. |
|
|
open source |
Checks for potentially dangerous function calls in C code. |
open source |
Checks for potentially dangerous function calls in C code. |
|
open source |
C/C++ bug checker and security scanner. |
|
open source |
Checks C code for potential vulnerabilities and other dangerous programming practices. |
vita]
Copyright © 2005, 2008 Cigital, Inc.
2005-09-30; Updated 2008-11-03
Content area bibliography.
Aleph One. “Smashing the Stack for Fun and Profit.” Phrack Magazine 7, 49 (1996): File 14 of 16. http://insecure.org/stf/smashstack.html.
Anderson, Robert H. & Hearn, Anthony C. "An Exploration of Cyberspace Security R&D Investment Strategies for DARPA: The Day After... in Cyberspace II." RAND Corporation. MR-797-DARPA (1996): 67.
Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. New York, NY: John Wiley & Sons, 2008.
Australian Computer Emergency Response Team (AUSCERT) & O'Reilly and Associates. A Lab Engineers Check List for Writing Secure Unix Code. http://www.windowsecurity.com/whitepapers/A_Lab_engineers_check_list_for_writing_secure_Unix_code.html (1996).
Bellovin, Steven M. Shifting the Odds--Writing (More) Secure Software. Murray Hill, NJ: AT&T Research. ~smb/talks/odds.pdf (1994).
Bishop, Matt and Dilger, M. “Checking for Race Conditions in File Accesses.” The USENIX Association, Computing Systems, Spring 1996: 131–152.
Bishop, Matt. Computer Security: Art and Science. Boston: Addison-Wesley, 2002 (ISBN 0-2014-4099-7).
Boehm, Barry W. “Improving Software Productivity.” Computer 20, 9 (September 1987): 43-57.
Boehm, Barry W. & Papaccio, Philip N. “Understanding and Controlling Software Costs. IEEE Transactions on Software Engineering 14, 10 (October 1988): 1462-1477.
Boehm, Barry W. Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, 1981.
Burch, Hal; Long, Fred; & Seacord, Robert. Specifications for Managed Strings (CMU/SEI-2006-TR-006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, May 2006. http://www.sei.cmu.edu/pub/documents/06.reports/pdf/06tr006.pdf
CERT/CC. CERT Survivability Project Report. CERT Coordination Center, 1996.
Chess, Brian & McGraw, Gary. “Static Analysis for Security.” IEEE Security & Privacy 2, 6 (Nov.-Dec. 2004): 76-79.
Chess, Brian & West, Jacob. Secure Programming with Static Analysis. Boston: Addison-Wesley, 2007.
Clements, Paul; Bachmann, Felix; Bass, Len; Garlan, David; Ivers, James; Little, Reed; Nord, Robert; & Stafford, Judith. Documenting Software Architectures: Views and Beyond. Boston: Addison-Wesley, 2002 (ISBN 0-2017-0372-6).
Cowan, Crispin; Wagle, Perry; Pu, Calton; Beattie, Steve; & Walpole, Jonathan. “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade,” 119-129. Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’00). Hilton Head Island, SC, January 25-27, 2000. Los Alamitos, CA: IEEE Computing Society, 2000.
Cowan, Crispin; Beattie, Steve; Finnin Day, Ryab; Pu, Calton; Wagle, Perry; & Walthinsen, Erik. “Protecting Systems from Stack Smashing Attacks with StackGuard,” 119-129. Proceedings of the 1998 Usenix Security Conference, 1998.
Demarco, Tom & Lister, Timothy. Waltzing With Bears: Managing Risk on Software Projects. New York: Dorset House Publishing Company, 2003 (ISBN 0-9326-3360-9).
Dewhurst, Stephen; Dougherty, Chad; Ito, Yurie; Keaton, David; Saks, Dan; Seacord, Robert C.; Svoboda, David; Taschner, Chris; &Togashi, Kazuya. Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools (CMU/SEI-2008-TR-014). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, June 2008. http://www.sei.cmu.edu/pub/documents/08.reports/08tr014.pdf
Du, Wenliang. “Categorization of Software Errors That Led to Security Breaches.” Proceedings of the 21st National Information Systems Security Conference. Crystal City, Virginia, Oct. 6-9, 1998.
Fagan, Michael G. “Design and Code Inspections to Reduce Errors in Program Development. IBM Systems Journal 15, 3 (1976).
Garfinkel, Simson; Spafford, Gene; & Schwartz, Alan. Practical Unix & Internet Security, 3rd ed. Sebastopol, CA: O'Reilly & Associates, Inc., 2003 (ISBN 1-56592-323-4).
Gennari, Jeff; Hedrick, Shaun; Long, Fred; Pincar, Justin; & Seacord, Robert C. Ranged Integers for the C Programming Language (CMU/SEI-2007-TN-027). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, September 2007. http://www.sei.cmu.edu/pub/documents/07.reports/07tn027.pdf
Gilb, Tom. Principles of Software Engineering Management. Boston: Addison-Wesley, 1988 (ISBN 0-201-19246-2).
Ghosh, Anup K.; O’Connor, Tom; & McGraw, Gary. “An Automated Approach for Identifying Potential Vulnerabilities in Software,” 104-114. Proceedings of the 1998 IEEE Symposium on Security and Privacy. Oakland, California, May 3-6, 1998. Los Alamitos, CA: IEEE Computer Society Press, 1998.
Goldenson, Dennis R. & Gibson, Diane L. Demonstrating the Impact and Benefits of CMMI: An Update and Preliminary Results (CMU/SEI-2003-SR-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, October 2003. http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03sr009-revised.pdf
Gong, Li. Inside Java 2 Platform Security Architecture, API Design, and Implementation. Boston: Addison-Wesley, 1999 (ISBN 0-201-31000-7).
Graff, Mark G. & Van Wyk, Kenneth R. Secure Coding: Principles and Practices. Sebastopol, CA: O’Reilly, 2003.
Hoglund, Greg & McGraw, Gary. Exploiting Software : How to Break Code. Boston: Addison-Wesley, 2004 (ISBN 0-2017-8695-8).
Howard, Michael. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, Washington: Microsoft Press, 2000 (ISBN 0-7356-0995-0).
Howard, Michael & LeBlanc, David. Writing Secure Code, 2nd ed. Redmond, WA: Microsoft Press, 2002 (ISBN 0-7356-1722-8).
Howard, Michael & LeBlanc, David. Writing Secure Code for Windows Vista. Redmond, WA: Microsoft Press, 2007.
Howard, Michael & Lipner, Steve. The Security Development Lifecycle. Redmond, WA: Microsoft Press, 2006.
Jones, Capers. Programming Productivity. New York, NY: McGraw-Hill, 1986 (ISBN 0-070-32811-0).
Jones, Capers. Applied Software Measurement: Assuring Productivity and Quality. New York: McGraw-Hill, 1991.
Jones, Capers. Assessment and Control of Software Risks. Englewood Cliffs, NJ: Prentice Hall, 1994.
Kitson, David H. & Masters, Stephen. “An Analysis of SEI Software Process Assessment Results, 1987-1991,” 68-77. Proceedings of the Fifteenth International Conference on Software Engineering. Baltimore, Maryland. May 17-21, 1993. Washington, DC: IEEE Computer Society Press, 1993.
Kuperman, Benjamin A. & Spafford, Eugene. Generation of Application Level Audit Data via Library Interposition. CERIAS Tech Report TR-99-11, 1999.
Maguire, Steve. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs. Redmond, Washington: Microsoft Press, 1993 (ISBN 1-55615-551-4).
McConnell, Steve. Code Complete: A Practical Handbook of Software Construction. Redmond, Washington: Microsoft Press, 1993 (ISBN 1-55615-484-4).
McGraw, Gary. “Software Security.” IEEE Security and Privacy 2, 2 (March-April 2004): 80-83.
McGraw, Gary. “From the Ground Up: The DIMACS Software Security Workshop.” IEEE Security and Privacy 1, 2 (March-April 2003): 59-66.
McGraw, Gary. “Managing Software Security Risks.” Computer 35, 4 (March 2002): 99-101.
McGraw, Gary & Potter, Bruce. “Software Security Testing.” IEEE Security and Privacy 2, 5 (September-October 2004): 81-85.
McGraw, Gary, & Felten, Edward W. Securing Java: Getting Down to Business with Mobile Code, 2nd ed. New York, NY: John Wiley & Sons, 1999 (ISBN 047131952X).
Miller, Barton P. “An Empirical Study of the Reliability of UNIX Utilities.” Communications of the ACM 33, 12 (1990).
Peikari, Cyrus & Chuvakin, Anton. Security Warrior. Sebastopol, CA: O'Reilly, 2004 (ISBN 0-5960-0545-8).
Saltzer, Jerome H. & Schroeder, Michael D. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, 9 (September 1975): 1278-1308.
Seacord, Robert C. & Householder, Allen. A Structured Approach to Classifying Security Vulnerabilities (CMU/SEI-2005-TN-003). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, January 2005. http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn003.pdf
Seacord, Robert C. Secure Coding in C and C++. Boston: Addison-Wesley, 2005.
Seacord, Robert C. The CERT C Secure Coding Standard. Boston: Addison-Wesley, 2008.
Sessions, Roger. Software Fortresses: Modeling Enterprise Architectures. Boston: Addison-Wesley, 2003 (ISBN 0-3211-6608-6).
Soo Hoo, Kevin; Sudbury, Andrew W.; & Jaquith, Andrew R. “Tangible ROI through Secure Software Engineering.” Secure Business Quarterly 1, 2 (2001).
Spafford, Eugene H. “Crisis and Aftermath.” Communications of the ACM 32, 6 (1989).
Spafford, Eugene H. UNIX and Security: The Influences of History. Information Systems Security. Auerbach Publications, 1995.
SPI Dynamics. “SQL Injection: Are Your Web Applications Vulnerable?” SPI Dynamics Whitepaper, 2002.
Sun Microsystems. Secure Coding Guidelines for the Java Programming Language, version 2.0. http://java.sun.com/security/seccodeguide.html (2007).
Swanson, Marianne & Guttman, Barbara. Generally Accepted Principles and Practices for Securing Information Technology Systems. National Institute of Standards and Guidelines Computer Security Special Publication 800-14, 1996.
Swiderski, Frank & Snyder, Window. Threat Modeling. Redmond, WA: Microsoft Press, 2004 (ISBN 0-7356-1991-3).
Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACM 27, 8 (August 1984).
Viega, John; McGraw, Gary; Mutdoseh, Tom; & Felten, Edward W. “Statically Scanning Java Code: Finding Security Vulnerabilities.” IEEE Software 17, 5 (September-October 2000): 68-77.
Viega, John & McGraw, Gary. Building Secure Software: How to Avoid Security Problems the Right Way. Boston: Addison-Wesley, 2001 (ISBN 0-2017-2152-X).
Viega, John & Messier, Matt. Secure Programming Cookbook for C and C++. Sebastopol, CA: O'Reilly, 2003 (ISBN 0-5960-0394-3).
Voas, Jeffrey & McGraw, Gary. Software Fault Injection: Inoculating Programs Against Errors. New York, NY: John Wiley & Sons, 1997 (ISBN 0-471-18381-4).
Whittaker, J. A. & Thompson, H. H. How to Break Software Security. Reading, MA: Addison Wesley, 2003.
Yoder, Joseph & Barcalow, Jeffrey. “Architectural Patterns for Enabling Application Security.” Proceedings of the 1997 Pattern Languages of Programming Conference. Monticello, Illinois, Sept. 3-5, 1997. Washington University Technical Report (wucs-97-34). ~hanmer/PLoP-97/Proceedings/proceedings.zip (1998).