It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

v0lkan · 2023-07-05T23:28:13Z

A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

v0lkan added this to Aegis Jul 4, 2023

v0lkan converted this from a draft issue Jul 5, 2023

v0lkan added the openssf label Jul 5, 2023

v0lkan added this to Aegis Open SSF Compliance Jul 5, 2023

v0lkan removed this from Aegis Jul 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

v0lkan commented Jul 5, 2023

It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

Comments

v0lkan commented Jul 5, 2023