The Software Quality Assurance (SQA) project develops tools and techniques for analyzing software to identify potential security vulnerabilities associated with critical national infrastructure and networks. Specifically, this project addresses fundamental challenges with software security analysis and flaws in software code development. By identifying and correcting the root causes of software vulnerabilities, the SQA project allows developers of software products to test the security of their software using improved source code analysis techniques to discover and eliminate weaknesses early in the software development process. This testing helps reduce the number of vulnerabilities in the software supply chain and improves overall software security.
The nation’s critical infrastructure (e.g., energy, transportation, financial services) and society as a whole are extensively and increasingly controlled by software. However, weaknesses in software expose vulnerabilities that put these critical infrastructure resources at risk. As of October 2017, the National Vulnerability Database (NVD) reported more than 12,000 vulnerabilities in the calendar year. That's nearly double the number reported in 2015 and 2016. This risk is compounded by software size and complexity and the growing reliance on reusable software code and open-source software in organizations.
In recent years, the open-source technology model has gained considerable momentum in the commercial market as well as throughout government information technology (IT) systems. Thousands of open-source software systems and tools are used across the federal government. Such software is not fully tested, with uncoordinated maintenance, development and use. The need for assured software is reflected in multiple sections of the 2016 Federal Cybersecurity Research and Development Strategic Plan (PDF, 52 pages, 950.39 KB).
The SQA project is developing technical resources that will help the broader software assurance community. These resources help address some of the fundamental challenges associated with software assurance such as the high false-positive rates generated by current static code analysis tools and the need for techniques that maximize the level of precision and/or recall in software analysis. SQA technologies and knowledge products have been successfully piloted with numerous federal government customers (e.g., DHS Science and Technology Directorate Chief Information Officer, Domestic Nuclear Detection Office, National Institute of Standards and Technology). Project success will be realized when these knowledge products are transitioned broadly to the software assurance community and the Software Assurance Market Place (SWAMP).
Trustees of Indiana University: Reducing False Positives reported by Static Code Analysis
The Trustees of Indiana are developing a systematic approach for reducing the rate of false-positives reported through static code analysis tools. It aims to create an anonymized knowledge-base of real code snippets that can cause false-positives and make them available to static code analysis tool developers.
Indiana University-Purdue University Indianapolis (IUPUI): Reducing False Positives reported by Static Code Analysis
IUPUI parses to code snippets into an abstract syntax tree, which the Trustees of Indiana will transform to a generic text model and provide a technology-, programming language-, and platform-independent approach to reducing false positives.
Ball State University is the lead institution in the Security and Software Engineering Research Center (S2ERC). It currently leads two efforts under the S2ERC project. The Code Duplication Project examines different techniques to maximize precision and recall. The BugSpec project develops a comprehensive test suite for Linux, macOS and Windows and can be used as a standalone test suite or integrated with others (e.g., Static Assurance Metrics and Tool Evaluation – SAMATE)