SECURING A MOBILE WORLD Section 1. Introduction Supply Chain Risk Management

Paul Croll
Managing software risk in the supply chain is in large part about discovering and understanding the vulnerabilities that might exist in code that you might buy as standalone applications or integrate into other systems or products. It is also about vulnerabilities you might build into code that you develop in-house. Static code analysis can be an effective means for determining the vulnerabilities in your code. a. Scope of the Problem Capers Jones [1] described the results of a survey of the
more » ... a survey of the U.S. software industry as of 2008. Based on those data, Tables 1 and 2 address the number and severity of software vulner-abilities in several classes of application projects. For military projects, as one approaches systems the size of typical large combat systems (expressed as function points), the estimated number of security vulnerabilities rises to above 3000 and the probability of serious vulnerabilities rises to 45%. The statistics are much worse for civilian and commercial systems. These systems have tended to make much more extensive use of COTS. As we move more and more into COTS and open source software for our national defense and critical infrastructure systems , one might expect that the extent of vulnerabilities in these critical systems might nearly double. In a study by Reifer and Bryant [2], 100 packages were selected at random from 50 public open source and COTS libraries. These spanned a full range of applications and sites like SourceForge. The packages were analyzed by college students using a variety of tools. Abstract. This paper describes the scope of the problem regarding software vulnerabilities and the current state of the practice in static code analysis for software assurance. Recommendations are made regarding the use of static analysis methods and tools during the software life. Static code analysis touch points during lifecycle reviews and challenges to automated static code analysis are also discussed.