Most security vulnerabilities arise from flaws in software implementation, and are difficult to discover because they are often triggered by rarely used parts of the code. Exhaustive testing is impossible for real-world software so high assurance software is tested using methods that require extensive staff time and thus have enormous cost. Most unit and system testing only verifies the existence of functionality, so it does not exercise rare conditions that trigger security vulnerabilities.
Reduction in the cost of security testing for US software industry.
Lead Organizational Unit:ITL
Richard D. Kuhn
100 Bureau Drive