« How not to publish SCADA security advisories | Main | Another use of Clickjacking, Cookiejacking! »

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README

"This archive contains test cases intended for use by organizations and
individuals that wish to study software assurance tools, such as static
source code and binary analysis tools.

What are test cases?
Test cases are pieces of buildable code that can be used to study software
assurance tools.  A test case targets exactly one type of flaw, but other,
unrelated flaws may be incidentally present.  For example, the test case
"CWE476_NULL_Pointer_Dereference__String_01" targets only a NULL Pointer
Dereference flaw.  In addition to the construct containing the target flaw,
each test case contains one or more non-flawed constructs that perform a
function similar to the flawed construct. 

A test case may be contained entirely in one source code file or may be split
between multiple files. " - NIST

If you're new to software security and wish to learn what vulnerabilities in code look like, this is a great central repository to get started with.

Project Page: http://samate.nist.gov/SRD/testsuite.php
Java Direct Download: http://samate.nist.gov/SRD/testCases/suites/Juliet-2010-12.java.zip
C/C++ Direct Download: http://samate.nist.gov/SRD/testCases/suites/Juliet-2010-12.c.cpp.zip





Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

thanks for sharing! even though you thought it is a "late news", there were other people that also did not know ;-)