SwA in Education, Training & Certification - US-Cert
SwA in Education, Training & Certification - US-Cert
SwA in Education, Training & Certification - US-Cert
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Table 4 – Tools and web resources for hands-on classroom experience with SWA Concepts<br />
Tool Name Tool Description Possible Classroom Uses<br />
Olly Debug OllyDbg is a 32-bit assembly level debugger for<br />
Microsoft W<strong>in</strong>dows. Located at www.ollydbg.de/<br />
Pharos Pharos is an open source proxy that traps all HTTP and<br />
HTTPS data between server and client, <strong>in</strong>clud<strong>in</strong>g<br />
cookies and form fields, which can be <strong>in</strong>tercepted and<br />
modified. Located at<br />
http://parosproxy.org/<strong>in</strong>dex.shtml<br />
SAMATE<br />
Reference<br />
Dataset<br />
Software Assurance Pocket Guide Series:<br />
Life Cycle Support, Volume I – Version 2.2, Mar 16, 2011<br />
The purpose of the SAMATE Reference Dataset (SRD)<br />
is to provide users, researchers, and software security<br />
assurance tool developers with a set of known security<br />
flaws. This will allow end users to evaluate tools and<br />
tool developers to test their methods. Located at<br />
http://samate.nist.gov/<strong>in</strong>dex.php/Ma<strong>in</strong>_Page.html.<br />
SDMetrics Analyze the structural properties of UML models us<strong>in</strong>g<br />
object-oriented measures of design size, coupl<strong>in</strong>g, and<br />
complexity. Located at http://www.sdmetrics.com/<br />
Spl<strong>in</strong>t Spl<strong>in</strong>t is a tool for statically check<strong>in</strong>g C programs for<br />
security vulnerabilities and cod<strong>in</strong>g mistakes. Located at<br />
http://www.spl<strong>in</strong>t.org/<br />
Valgr<strong>in</strong>d Valgr<strong>in</strong>d is an <strong>in</strong>strumentation framework for build<strong>in</strong>g<br />
dynamic analysis tools. Located at http://valgr<strong>in</strong>d.org/<br />
V<strong>in</strong>e Provides an <strong>in</strong>termediate language that x86 code can<br />
be translated to for Static analysis. Located at<br />
http://bitblaze.cs.berkeley.edu/v<strong>in</strong>e.html<br />
Web Resources<br />
Google Code<br />
University<br />
OWASP Learn<strong>in</strong>g<br />
Environments<br />
OWASP Web<br />
Goat<br />
OWASP Broken<br />
Web Applications<br />
Project<br />
Software<br />
Assurance (<strong>SwA</strong>)<br />
Tools Overview<br />
Emphasize b<strong>in</strong>ary code analysis and is<br />
particularly useful <strong>in</strong> cases where source is<br />
unavailable. Expla<strong>in</strong> Buffer Overflows.<br />
Pharos can be used as an <strong>in</strong>troduction to<br />
web application security assessment.<br />
A reference data set can be used <strong>in</strong> class to<br />
reflect upon known flaws <strong>in</strong> software.<br />
Exam<strong>in</strong>e object-oriented metrics and<br />
measures for design and source code<br />
artifacts.<br />
Static analysis code check<strong>in</strong>g activities.<br />
Demonstrate dynamic analysis techniques to<br />
detect memory management and thread<strong>in</strong>g<br />
bugs, as well as detailed program profil<strong>in</strong>g.<br />
Identify data flows analysis and conduct<br />
b<strong>in</strong>ary analysis.<br />
http://google-gruyere.appspot.com Web application exploits and defenses.<br />
Topics <strong>in</strong>clude cross-site script<strong>in</strong>g, cross site<br />
request forgery, AJAX vulnerabilities, denial<br />
of service, etc.<br />
http://www.owasp.org/<strong>in</strong>dex.php/Phoenix/Tools Comprehensive collection of security tools,<br />
exploits, vulnerability scanners, defensive<br />
tools, application security.<br />
http://www.owasp.org/<strong>in</strong>dex.php/OWASP_WebGo<br />
at_Project<br />
http://www.owasp.org/<strong>in</strong>dex.php/OWASP_Broken<br />
_Web_Applications_Project<br />
https://buildsecurity<strong>in</strong>.uscert.gov/swa/swa_tools.html<br />
WebGoat is a deliberately <strong>in</strong>secure J2EE<br />
web application ma<strong>in</strong>ta<strong>in</strong>ed by OWASP<br />
designed to teach web application security<br />
lessons.<br />
A collection of applications with known<br />
vulnerabilities.<br />
A collection of <strong>SwA</strong> tools <strong>in</strong>spired by the<br />
NIST Software Assurance Metrics And Tool<br />
Evaluation (SAMATE) project.<br />
Software Assurance <strong>in</strong> <strong>Education</strong>, Tra<strong>in</strong><strong>in</strong>g & <strong><strong>Cert</strong>ification</strong><br />
11