Notice of Workshop To Participate in the Development of Software Assurance Metrics

AGENCY:

National Institute of Standards and Technology, Commerce.

ACTION:

Notice of workshop.

SUMMARY:

The National Institute of Standards and Technology (NIST) announces the first in a series of planned workshops being held in support of NIST's Software Assurance Metrics and Tool Evaluation (SAMATE) project. NIST is working with industry, academia, and users:

• To identify deficiencies in software assurance (SA) methods and tools
• To develop metrics for the effectiveness of SA tools.

NIST invites parties interested in these issues to contribute to the specification of such metrics and to the development of reference data sets capable of testing the effectiveness of SA tools. These reference data sets, when used during an SA tool's development, can aid in building a correct implementation with regard to these metrics.

The first workshop “Defining the State of the Art in Software Security Tools” is being held at NIST Gaithersburg August 10 and 11. Future Workshops will be announced on the Project's Web site http://samate.nist.gov/ and on other SA forums.

DATES:

The first workshop is being held at NIST Gaithersburg August 10, 9 a.m. to 5 p.m. and August 11, 2005, 9 a.m. to 1 p.m.

FOR FURTHER INFORMATION CONTACT:

For further information, you may visit the Software Assurance Metrics Project Website at http://samate.nist.gov/ . In addition, you may telephone Dr. Paul E. Black at (301) 975-4794, or by e-mail at: paul.black@nist.gov.

SUPPLEMENTARY INFORMATION:

In support of its Software Assurance Metrics and Tool Evaluation (SAMATE) project, NIST is working with industry, academia, and users:

• To identify deficiencies in software assurance (SA) methods and tools
• To develop metrics for the effectiveness of SA tools.

The SA Metrics Project surveys current SA tools and develops a classification scheme, grouping SA tools with similar functionality or capability. A set of metrics and tests are developed for each tool class. Source/object code vulnerability scanners are an example of one possible class. A series of Workshops will be used to:

• Validate the tool classes.
• Establish priorities for the order in which SA tool classes are tested.
• Help determine the required and optional functionality for each class of SA tools.

After a tool class is selected, requirements, metrics, and tests for these functionalities are developed. Classification and testing activities can proceed simultaneously. As a result, a draft specification and test methodology for the highest priority tool class is developed. Further information on the project, including the Project Plan, may be found at the Project's Web site http://samate.nist.gov/ and on other SA forums.