The last two days I’ve spent at NIST attending the Software Assurance Forum. This has been really enjoyable for me! I am visiting a long time friend in Gaithersburg, MD who works at NIST and organized the Static Analysis Tools Expo as part of the conference. There has been a lot of development in the last few years on automating tools to check for various problems in code. The goal is somewhat related to the formal methods being studied in the lab I worked with in grad school in that both are trying to show that programs are correct although the approach is very different. Analysis of programs is done in different ways by different vendors – some on the source code, some on the executable. The SATE project is looking at various tools to do empirical research on large data sets. Seven or eight tool vendors participated this year using their tools and analysis of real world programs and associated CVEs. There is some very exceptional work going on in this field.