The Software Assurance Metrics and Tool Evaluation (SAMATE) is a project developed by the National Institute of Standards and Technology to allow for better methods to be developed and deployed for software assurance.
The project has specific goals to develop a methodology to assess assurance tools for software development, which will be achieved through the use of specified tools with robust plans for tests and data sets for those tests. The idea is that SAMATE will then inform developers of assurance tools so that they can improve on their offerings. In the same breath, it will also allow users of assurance tools to make choices that are better informed.
Some of the results of the project include:
- Security Analyzers for Source Code – There’s already a draft test plan for these tools and a completed specification document for the plan.
- Vulnerability Scanners for Web Applications – There’s a full specification in place and a test framework. This should enable better evaluation of tools that are designed to crawl a web application and then determine where any vulnerabilities lie.
- Binary Code Scanning – Work has begun to develop specifications and test frameworks for tools which identify flaws in the code of binary applications in their compiled states.
- Exposition of Static Analysis Tools – SAMATE also aims to assess suitable tools for research that work with large data sets during testing, as well as help improve them and increase their adoption by demonstrating their effectiveness when applied to real software applications.