STANCE is a multi-disciplinary initiative with the objective of driving scientific and technological breakthroughs in the domain of software security. Over three years, STANCE will define, implement and validate a set of program analysis tools capable of verifying the security of complex software systems made in C, C++ and Java. STANCE proposes to build on existing assets: formal methods, state-of-the-art static and dynamic program analysis tools, security evaluation expertise, and industry-specific knowledge will be used and significantly extended. The resulting program analysis toolbox and supporting methods will increase the trustworthiness and the cost-effectiveness of existing security-oriented processes. These innovations will durably alter the domain of software security assurance, with broad consequences on its legal, societal, and economic aspects.

More specifically, the objective of STANCE is to define, implement and distribute a toolbox – a set of source code analysis tools – capable of verifying the security properties of applications written in C, C++, and Java. STANCE will rely on existing analysis tools:

• The Frama-C platform, an extensible and collaborative platform dedicated to the source-code analysis of C software
• The VeriFast verifier, an analyser for C and Java source code annotated with formulas written in separation logic
• The Flinder tool, which does injection-based white box security testing, allowing deep inspection of function-level code constructs

STANCE is a project funded by the European Commission, under the ICT theme of the Seventh Framework Programme