Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
SAMATE Tool Survey
Classes of Tools & Techniques
Here is a list of classes of software security assurance functions classified according to our tool taxonomy. The first group have web pages with comments or notes about the class. The last group in the table don't even have web pages.
| Process | Automation | Approach | Viewpoint | |
|---|---|---|---|---|
| Assurance Case Tools | SWE manage | 1 | Mitigate(?) | Int |
| Safer Languages | Implementation | 0 | Preclude | Int |
| Design/Modeling Verification Tools | Design | 2/3 | Detect | Int |
| Source Code Security Analyzers, Byte Code Scanners, Binary Code Scanners (SWEBOK 10 1.9) | Test | 2 | Detect | Int |
| Web Application Scanners | Test/Operation | 2 | Detect | Ext |
| Intrusion Detectors | Operation | 2 | Detect | Int |
| Network Scanners | Operation | 2 | Detect | Ext |
| Requirements Verification Tools | Requirements | 2/3 | Detect | Int |
| Architecture Design Tools | Design | 1 | Preclude | Int |
| Dynamic Analysis Tools | Test | 1 | Detect | Ext |
| Web Services Network Scanners | Test/Operation | 2 | Detect | Ext |
| Database Scanning Tools | Operation | 2 | Detect | Int |
| Anti-Spyware Tools (A system assurance, not software assurance class) | Operation | 2/3 | Detect/React | Int |
| Tool Integration Frameworks | Test/Operation | 2 | Detect | Int |
| The following don't even have web pages. | ||||
| Requirements modeling or tracing tools | Requirements | 1/2 | Detect | Int |
| Use cases | Requirements | 0 | Detect | Int |
| Constructive Approaches (Correct by construction) | Design/ Implementation | 1/2 | Preclude | Int |
| Compiler, error checking | Implementation | 3 | Detect | Int |
| Compiler, safety enforcing | Implementation | 3 | Preclude | Int |
| Configuration management (SWEBOK 10 1.6) | Config manage | 0/2 | Preclude | Int |
| Test generators, execution frameworks, test evaluation, test management, performance analysis (SWEBOK 10 1.4) Source code or binary fault injection, fault propagation analysis, fuzz testing (Goertzel 4.1.4.4.4-.9) | Test | 1/2 | Detect | Int |
| Code review assistants (SWEBOK 10 1.9) | Test | 1 | Detect | Int |
| Operator training | Operation | 1 | Preclude | Ext |
| Firewall, Virtual Patch, or Wrapper | Operation | 3 | Mitigate | Int |
| Forensic Security Analysis (Goertzel 4.1.4.4.12) | Operation | 1/2 | React | Int |
| Software engineering management (SWEBOK 10 1.7) | SWE manage | 0/2 | Preclude | Int |
| Software engineering process (SWEBOK 10 1.8) | SWE process | 0/2 | Preclude | Int |
Guide to the SWEBOK[8] Chapter 10 lists software engineering methods, divided into three groups.
- Structured methods
- Data-oriented methods
- Object-oriented methods
- Specification languages and notations
- Refinement
- Verification/proving
- Prototyping the style
- Prototyping the target
- Prototyping evaluation techniques
Insecure.Org's 2006 Top 100 Network Security Tools has several classes of tools mostly for network investigation, including web vulnerability scanners (= Web Application Scanners), vulnerability scanners (= Network Scanners), top 5 intrusion detection systems password crackers, packet sniffers, wireless tools, top 3 vulnerability exploitation tools, top 4 application-specific scanners, top 4 port scanners, top 3 firewalls, top 4 rootkit detectors, and packet crafters. Some tools are not categorized, but just listed in the Top 100.