Publications Details
Analysis of software for security-critical systems
Sandia National Laboratories (SNL) performs software security analyses of many systems having strong security requirements. This paper gives an overview of a software security analysis methodology that has evolved at SNL. This methodology is based on experience gained in the analysis of critical software-controlled systems. The paper describes analysis activities and how they relate to the traditional software life cycle. Topics discussed include: planning for the analysis; supporting the development and documentation of security requirements; identifying and analyzing the threat; acquiring and utilizing software design and implementation materials; identifying positive design features; scaling the analysis effort to the threat; analyzing the high-level design; analyzing the source-code and target implementations; reporting results; interacting with system and component development groups; and supporting the authentication of the software product before it is fielded. The paper also stresses the importance of independence of analysis and development groups.