Keeping sensitive data and assets safe is the goal of regulatory cybersecurity frameworks like NIST (National Institute of Standards and Technology). But for government agency security professionals, staying compliant can feel like a Sisyphean task due to the complexity of applying the controls themselves. It’s especially difficult to attempt to apply these controls without the […]… Read More
US NIST updates its Automated Combinatorial Testing for Software (ACTS) research toolkit that should help experts in finding bugs in complex safety-critical applications.
US NIST announced updated for its Automated Combinatorial Testing for Software (ACTS) research toolkit that should allow developers easily spot software errors in complex
The ACTS toolkit allows development teams to check their products correctly respond to simultaneous inputs that could trigger security vulnerabilities.
The toolkit, developed by researchers from NIST along with the University of Texas at Arlington, Adobe, and SBA Research, the research center for information security in Austria, is particularly useful for testing large and complex systems with thousands of input variables.
The NIST announced that the ACTS toolkit now includes an updated version of Combinatorial Coverage Measurement (CCM), a tool that should help improve safety as well as reduce software costs.
The improvements should help developers to improve the safety of their systems and to reduce development costs.
“Before we revised CCM, it was difficult to test software that handled thousands of variables thoroughly,” wrote NIST mathematician Raghu Kacker. “That limitation is a problem for complex modern software of the sort that is used in passenger airliners and nuclear power plants, because it’s not just highly configurable, it’s also life critical. People’s lives and health are depending on it.”
The early version of the NIST tools was able to handle software that had a few hundred input variables. Another tool developed by the SBA Research could be used to analyze software that has up to 2,000 input
“The two tools can be used in a complementary fashion: While the NIST software can measure the coverage of input combinations, the SBA algorithm can extend coverage to thousands of variables.” added
Even is the SBA Research algorithm was not yet integrated into the ACTS toolkit, the team plans to include it in the future. Waiting for the integration, NIST will make the algorithm available to any developer who requests it.
The post NIST ACTS Toolkit could find Finds bugs safety-critical systems appeared first on Security Affairs.
We entrust our lives to software every time we step aboard a high-tech aircraft or modern car. A long-term research effort guided by two researchers at the National Institute of Standards and Technology (NIST) and their collaborators has developed new tools to make this type of safety-critical software even safer. Augmenting an existing software toolkit, the research team’s new creation can strengthen the safety tests that software companies conduct on the programs that help control … More
The post Researchers develop new tool for safety-critical software testing appeared first on Help Net Security.
- Have you documented security incidents? How did you remediate those incidents?
- Do you have the result of your last business continuity test? If yes, can you share it?
- What security controls exist for your users? Do they use multifactor authentication, etc.?
- How are you maturing your security program?
- Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this?
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.
- Remediation: Can you work with the vendor to remediate the technical risk?
- Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?
These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include:
- Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
- Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
- Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.