TY - CONF JO - Enabling Technologies: Infrastructure for Collaborative Enterprises, 2001. WET ICE 2001. Proceedings. Tenth IEEE International Workshops on TI - Development of a software security assessment instrument to reduce software security risk T2 - Enabling Technologies: Infrastructure for Collaborative Enterprises, 2001. WET ICE 2001. Proceedings. Tenth IEEE International Workshops on IS - SN - VO - SP - 144 EP - 149 AU - Gilliam, D.P. AU - Kelly, J.C. AU - Powell, J.D. AU - Bishop, M. Y1 - 2001 PY - 2001 KW - formal specification KW - program slicing KW - program verification KW - safety-critical software KW - security of data KW - software maintenance KW - DOVES KW - Database of Vulnerabilities Exploits and Signatures KW - SAT KW - Security Assessment Tools KW - V/Matrix KW - Vulnerability Matrix KW - formal approach KW - maintenance life cycle KW - model checking approaches KW - network security KW - platform/application KW - property-based testing tool KW - secure software development KW - security verification KW - signature fields KW - software code slicing KW - software development life cycle KW - software maintenance KW - software security assessment instrument KW - software security risk VL - JA - Enabling Technologies: Infrastructure for Collaborative Enterprises, 2001. WET ICE 2001. Proceedings. Tenth IEEE International Workshops on DOI - 10.1109/ENABL.2001.953404 AB - The paper discusses joint work by the California Institute of Technology's Jet Propulsion Laboratory and the University of California at Davis (CC Davis) sponsored by the National Aeronautics and Space Administration to develop a security assessment instrument for the software development and maintenance life cycle. The assessment instrument is a collection of tools and procedures to support development of secure software. Specifically, the instrument offers a formal approach for engineering network security into software systems and application throughout the software development and maintenance life cycle. The security assessment instrument includes a Vulnerability Matrix (VMatrix) with platform/application, and signature fields in a database. The information in the VMatrix has become the basis for the Database of Vulnerabilities, Exploits, and Signatures (DOVES) at UC Davis. The instrument also includes a set of Security Assessment Tools (SAT), including the development of a property-based testing tool by UC Davis, to slice software code looking for specific vulnerability properties. A third component of the research is an investigation into the verification of software designs for compliance to security properties. This is based on innovative model checking approaches that will facilitate the development and verification of software security models ER -