Washington, DC—The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded Applied Visions, Inc. of Northport, New York a $16,339,743 contract to develop a Unified Threat Management (UTM) system that will help software developers better analyze code for cyber vulnerabilities.
The award is issued under the Homeland Security Advance Research Projects Agency (HSARPA) Cyber Security Division’s (CSD) Software Assurance Program, which is working with cybersecurity researchers in academia and the private sector to develop tools and techniques for advancing software analysis capabilities in detecting potential security vulnerabilities. The Application Security Threat and Attack Modeling (ASTAM) project is developing the open-source tool to advance methods for defending against application-specific attacks.
The UTM system will provide coverage throughout the software development lifecycle. It will be comprised of multiple tools used by software developers to analyze software systems and identify potential risks, security threats and vulnerabilities. The new tool also will have the capability to recommend countermeasures to prevent or mitigate the effects of threats.
“The growing number of attacks on poorly developed software systems is clear evidence that there is a pressing need for a better system to identify security threats and resolve potential vulnerabilities while software is still in the development stage,” said S&T CSD Director Douglas Maughan. “This comprehensive and innovative Unified Threat Management system will make it easier for developers to identify and remediate weaknesses in code before these vulnerabilities lead to unexpected expenses or theft of sensitive proprietary information for their clients.”
Through its research, Applied Visions and its partners will develop and integrate the following components of the UTM system:
• Hybrid Analysis Mapping—Often static application security testing and dynamic application security testing are conducted separately and at different times in the software development and deployment lifecycle. A hybrid approach will improve the analysis, pinpoint more exploitable weaknesses, reduce false-positives and improve situational awareness across cybersecurity assessment activities.
• Application Threat Modeling—Threat modeling is best applied continuously throughout a software development project. This threat modeling platform and analysis engine continuously will inform the developer of risks, threats and exposures as software is being created.
• Attack Simulation and Countermeasures Modeling—The WhiteHat Security Web Application Security Statistic Report notes that the window of exposure for unpatched or vulnerable systems can range up to 275 days, leaving the software vulnerable to compromise. This model will detect and recommend to developers real-time remediation responses, capabilities and countermeasures to help correct security exposures.
• Continuous Monitoring and Assessment Modeling—Continuous monitoring and testing of key technical security controls is essential for developers to validate and verify that the controls are commensurate to risks. This model will incorporate real-time, automated application security and software assurance into the continuous monitoring process.
“The integrated Unified Threat Management system will facilitate the sharing of critical information and notifications between the four independent components, enabling each to work automatically and in unison to improve the quality and security of software systems,” said Kevin Greene, program manager of CSD’s Software Assurance Program. “It will be expandable so additional functional components can be built and added to its framework. This new system will improve software security by leveraging context from multiple assessment activities in an automated and continuous approach across the software development lifecycle.”
CSD’s mission is to enhance the security and resilience of the nation’s critical information infrastructure and the Internet by developing and delivering new technologies, tools and techniques to defend, mitigate and secure current and future systems, networks and infrastructure against cyberattacks. To this end, the division conducts and supports technology transitions and leads and coordinates R&D among department customers, government agencies, the private sector, academia and international partners. For more information about CSD, visit cyber research.