Bob Martin — Mitre

Most organizations want assurance that their software has been tested for known security issues. Government, in conjunction with industry and academia are working together to make this economical and effective. The acquisition groups in large government and private organizations are moving to require that this types of testing be part of future contracts. The tools and services that can be used for evaluating source code, design, and architecture are maturing, however, there are no standards defining these types of capabilities. This lack of defined standards leaves open the question of which tool/service is appropriate/better for a particular job and how effective they are. Government, industry, and academia are working together to develop a dictionary of software weakness types and an assessment approach to help mature this new code-based security assessment industry, and dramatically accelerate the use and utility of these capabilities in testing the software systems they acquire, develop, and use.

---