Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/29/2019
10:25 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

NIST Offers Improved Software Testing

Combinatorial testing is a software testing method that the National Institute of Science and Technology (NIST) likes a lot.

Combinatorial testing is a method for more effective software testing that the National Institute of Science and Technology (NIST) likes a lot.

They ran studies from 1999 to 2004 showing that most software bugs and failures are caused by one or two parameters of input, with progressively fewer by three or more.

They call this the interaction rule, and it is a roadmap for more efficient testing than those given with conventional methods. NIST says that it has multiple studies showing fault detection results equal to exhaustive testing with a 20X to 700X reduction in test set size.

The software industry often spends seven to 20 times as much money rendering safety-critical software reliable as it does on more conventional code, so improvements in testing have been called for by designers.

This is not fuzzing, as the term is commonly used in software development. Fuzzing (or fuzz testing) is an software testing technique using invalid, unexpected, or random data as inputs to a program. The program is then monitored for faults such as crashes, failing built-in code assertions, or potential memory leaks. The NIST approach uses normal and valid ranges of inputs for its testing and observation.

Fuzzing checks for what happens when input goes out of bounds and is "unsanitary," while NIST techniques check for what happens when a program's inputs are within norms but changing relative to other inputs.

Anyway, NIST announced the first revision since 2015 of its Automated Combinatorial Testing for Software, or ACTS.

Researchers from the University of Texas at Arlington, Adobe Systems Inc. and Austria's SBA Research announced at last week's IEEE International Conference on Software Testing, Verification and Validation in China that they had updated a version of Combinatorial Coverage Measurement (CCM) to include extensions to it by SBA Research.

NIST's internal tools were able to handle software that had a few hundred input variables, but SBA Research developed another new tool that can examine software that has up to 2,000. This increase can generate a test suite for up to five-way combinations of input variables.

The two tools can be used in a complementary fashion: While the NIST software can measure the coverage of input combinations, the SBA algorithm can extend coverage to thousands of variables. While the SBA Research algorithm is not an official part of the ACTS test suite, the team says that it has plans to bundle it with ACTS in the future.

NIST will make the algorithm available to any developer who requests it.

"Before we revised CCM, it was difficult to test software that handled thousands of variables thoroughly," NIST mathematician Raghu Kacker said in a statement. "That limitation is a problem for complex modern software of the sort that is used in passenger airliners and nuclear power plants, because it's not just highly configurable, it's also life critical. People's lives and health are depending on it."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.