Application Security/Software Assurance
Education Level: Intermediate
5216 - Decision-making Factors in Software Testing Tool Selection
Tuesday, September 26
1:45 PM - 2:45 PM
Thomas Scanlon, ScD
Cyber Security Researcher
Software Engineering Institute - Carnegie Mellon University
Vulnerabilities in software can provide a gateway for adversaries to stage unauthorized system activities. To assist software developers with reducing and mitigating such vulnerabilities, numerous software testing tools are now available. Classes of tools include offerings for static code analysis, dynamic code analysis, origin analysis, supply chain management, fuzzing and correlation. With a growing number of tools in all classes available for detecting vulnerabilities in software, how do software developers decide which tools to invest time, money and personnel into using? There is no single tool or combination of testing tools that suits all software projects; each project will have its own unique attributes that lends itself to utilizing a given tool set.
This talk will present an overview of the types of testing tools available and provide advice and guidance for software developers on how to select an effective combination of tools for a given project. This will include a discussion of relevant tool decision-making factors, such as whether the code is written in-house or outsourced; programming language and platform used; whether it includes third-party libraries or open-source components; what type of environment the code will be deployed to; budget and resources available; compliance and regulatory concerns; and other technical constraints.
In short, the talk will offer insight on how to decide where to spend limited resources for software testing tools.
- Identify the classes of software vulnerability detection tools and understand the benefits and limitations of each.
- Know and understand many of the factors to consider when deciding which software vulnerability detection tools to utilize.
- Devise a strategy for selecting software vulnerability detection tools for a given project, especially in context of limited available resources.