Source Code Analysis Laboratory (SCALe)
Coding errors cause the majority of software vulnerabilities. For example, 64 percent of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors.
The CERT Program's Source Code Analysis Laboratory (SCALe) offers conformance testing of C language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java. SCALe applies conformance assessment in accordance with ISO/IEC 17000: "a demonstration that specified requirements relating to a product, process, system, person, or body are fulfilled."
SCALe evaluates client source code using multiple analyzers. Static analysis techniques, while effective, are prone to both false positives and false negatives. SCALe combines static analysis with dynamic analysis and fuzz testing, which can stress test the code.
The CERT Program reports to the client any deviations from secure coding standards. The client may then repair and resubmit the software for reevaluation. Once the process is completed, a report detailing the conformance or nonconformance to each secure coding rule is provided to the client.
Conformance Testing Process
SCALe does not test for unknown code-related vulnerabilities, high-level design and architectural flaws, the code's operational environment, or the code's portability. Conformance testing is performed for a particular set of software, running in a particular translation environment under particular control options. Translation of programs is performed for, and supports execution of functions in, a particular execution environment.
If the analysis finds that the software conforms to secure coding standards, CERT issues a certificate of conformance for the particular software system. Issuance of a certificate indicates that the software system has completed a rigorous SCALe conformance testing process and that no provably nonconforming violations of the rules for the CERT C Secure Coding Standard or the CERT Oracle Secure Coding Standard for Java have been identified. Issuance of a certificate does not provide any guarantees that the software is entirely and permanently secure.
To learn more about SCALe, read the technical note Source Code Analysis Laboratory (SCALe) (CMU/SEI-2012-TN-013) or watch a free webinar.
To learn how SCALe can help DoD acquisition programs address software security, read the technical note Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions (CMU/SEI-2012-TN-016).
To learn about Android secure coding rules, guidelines, and static analysis that were developed as part of the Mobile SCALe project, read the technical report Mobile SCALe: Rules and Analysis for Secure Java and Android Coding (CMU/SEI-2013-TR-015).
If you are interested in SCALe conformance testing, please contact email@example.com.