Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
NIST Offers Improved Software Testing
Combinatorial testing is a software testing method that the National Institute of Science and Technology (NIST) likes a lot.
April 29, 2019
3 Min Read
Combinatorial testing is a method for more effective software testing that the National Institute of Science and Technology (NIST) likes a lot.
They ran studies from 1999 to 2004 showing that most software bugs and failures are caused by one or two parameters of input, with progressively fewer by three or more.
They call this the interaction rule, and it is a roadmap for more efficient testing than those given with conventional methods. NIST says that it has multiple studies showing fault detection results equal to exhaustive testing with a 20X to 700X reduction in test set size.
The software industry often spends seven to 20 times as much money rendering safety-critical software reliable as it does on more conventional code, so improvements in testing have been called for by designers.
This is not fuzzing, as the term is commonly used in software development. Fuzzing (or fuzz testing) is an software testing technique using invalid, unexpected, or random data as inputs to a program. The program is then monitored for faults such as crashes, failing built-in code assertions, or potential memory leaks. The NIST approach uses normal and valid ranges of inputs for its testing and observation.
Fuzzing checks for what happens when input goes out of bounds and is "unsanitary," while NIST techniques check for what happens when a program's inputs are within norms but changing relative to other inputs.
Anyway, NIST announced the first revision since 2015 of its Automated Combinatorial Testing for Software, or ACTS.
Researchers from the University of Texas at Arlington, Adobe Systems Inc. and Austria's SBA Research announced at last week's IEEE International Conference on Software Testing, Verification and Validation in China that they had updated a version of Combinatorial Coverage Measurement (CCM) to include extensions to it by SBA Research.
NIST's internal tools were able to handle software that had a few hundred input variables, but SBA Research developed another new tool that can examine software that has up to 2,000. This increase can generate a test suite for up to five-way combinations of input variables.
The two tools can be used in a complementary fashion: While the NIST software can measure the coverage of input combinations, the SBA algorithm can extend coverage to thousands of variables. While the SBA Research algorithm is not an official part of the ACTS test suite, the team says that it has plans to bundle it with ACTS in the future.
NIST will make the algorithm available to any developer who requests it.
"Before we revised CCM, it was difficult to test software that handled thousands of variables thoroughly," NIST mathematician Raghu Kacker said in a statement. "That limitation is a problem for complex modern software of the sort that is used in passenger airliners and nuclear power plants, because it's not just highly configurable, it's also life critical. People's lives and health are depending on it."
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.
Read more about:Security Now
About the Author(s)
Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].
You May Also Like
Unbiased Testing. Unbeatable ResultsFeb 22, 2024
Unbiased Testing. Unbeatable ResultsFeb 22, 2024
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions
A Solution Guide to Operational Technology Cybersecurity
Zero Trust Access For Dummies, 2nd Fortinet Special Edition
2023 Work-from-Anywhere Global Study
Buyer's Guide: Choosing a True DevSecOps Solution for Your Apps on AWS