WASHINGTON—The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded a $7.86 million contract to Kestrel Technology, LLC of Palo Alto, California to expand the coverage capabilities of static analysis tools used to detect potential vulnerabilities in new software systems and increase developer confidence in those tools.
The award is issued as part of the Homeland Security Advanced Research Project Agency Cyber Security Division’s (CSD) Software Assurance Program, which is working with cybersecurity researchers in academia and the private sector to develop tools, techniques and capabilities that will advance the technologies used to analyze software for weaknesses that expose vulnerabilities. The Static Tool Analysis Modernization Project (STAMP) addresses the presence of weaknesses in software and deals with the root problem by improving software security before it is released by the developer.
“An investment in upgrading the effectiveness of static analysis tools, and increasing developer confidence in them, will pay off in the long run,” said DHS Acting Under Secretary for Science and Technology Dr. Robert Griffin. “Better tools will lead to better cybersecurity products to protect government and private-sector critical infrastructure and networks.”
Current static analysis tools have not kept pace with modern software, specifically its overall size and complexity that make it more difficult for these tools to perform accurately. For instance, none of the tools were able to find the weakness in OpenSSL that exposed the Heartbleed vulnerability in April 2014, a study by SWAMP (.pdf, 11 pages, 670.59kb) found. Additionally, developers are less inclined to use software analysis tools if these tools generate a high number of false-positives.
Kestrel Technology will take a two-pronged approach in its research, titled “STARLITE: Static Analysis Architecture and Lifecycle Implementation, Test and Evaluation.” In the first area, it will expand the scope of coverage offered by static analysis tools by adding capabilities for Java test generation and .NET support and analysis tools, creating C/C++ vulnerability injectors, and developing plugins for commonly used software assurance and development tools to support continuous integration and delivery of software systems. The second area will focus on improving the usability aspect by decoupling the monolithic tool architecture that prevents developers from leveraging the strengths of many tools together to improve coverage. A tool study conducted by the National Security Agency’s Center for Assured Software suggest that using multiple static analysis tool may help improve coverage.
“The limited capabilities and poor performance of current static analysis tools are leading reasons why developers do not use them,” said Kevin Greene, program manager of the CSD Software Assurance Program. “Tools slow them down and clog up their continuous integration and delivery pipelines. This new S&T research will help reverse this trend, increase the use of static analysis tools and ultimately lead to the development of more secure software that is better able to thwart cyberattacks.”
CSD’s mission is to enhance the security and resilience of the nation’s critical information infrastructure and the Internet by developing and delivering new technologies, tools and techniques to defend, mitigate and secure current and future systems, networks and infrastructure against cyberattacks. To this end, the division conducts and supports technology transitions and leads and coordinates R&D among department customers, government agencies, the private sector, academia and international partners. For more information about CSD, visit https://www.dhs.gov/cyber-research or email SandT.PCS@hq.dhs.gov.