The Challenge of Artifacts and Summaries for Analysis Tool Execution and Qualification

ABSTRACT

The May 2021 Executive Order on improving cybersecurity brought immediacy to chronic problems. A key component of improving the cybersecurity of the supply chain is assuring security of software supplied. Software developers have long used tools to gain such assurance, both during software construction and during postproduction verification. The EO requires developers to provide artifacts or summaries from the tools to those who use the software. We present criteria for such artifacts and summaries: they must be easy to produce, actually contribute to security, and be amenable to user checking. We note some potentially useful artifacts and summaries. We also briefly sketch how developers might qualify the tools they use.

BIO

Paul E. Black has nearly 20 years of industrial experience in areas such as developing software for integrated circuit (IC) design and verification, assuring software quality, and managing business data processing. The web site he began and edits, the Dictionary of Algorithms and Data Structures (https://xlinux.nist.gov/dads/), was accessed almost 20,000 times a day from all over the world. He began his Ph.D. at UC Berkeley, then transferred to Brigham Young University where he graduated in 1998. He taught classes at BYU and Johns Hopkins University. Dr. Black has published in the areas of software assurance and testing, formal methods, software verification, quantum computing, software configuration control, and networks and queuing analysis. He is a life senior member of IEEE and a member of ACM and the IEEE Computer Society.