The Static Analysis Tools Modernization Project (STAMP) seeks to modernize static code software analysis tools by:
- Improving performance and coverage
- Enabling seamless integration of these tools into DevOps
- Providing more accurate analysis of results through lower false-positive rates
- Providing more visibility into false-negatives that often leave residual risks
In addition to new tools developed and delivered, STAMP will drive new software assurance techniques that advance state-of-the-art capabilities in software analysis tools.
Current static analysis tools have not kept pace with modern software. The complexity and size of software make it more difficult for software analysis tools to perform. Often these tools have difficulty tracking data flows through complex and large software systems to the point that software analysis tools oversimplify and make assumptions about software code that are inaccurate. One illustration of the challenge’s depth was revealed after the “Heartbleed” vulnerability, in which no software analysis tool found the weakness or flaw in OpenSSL. STAMP research will benefit software assurance tool developers and the software development community as a whole by providing tools that are suited for today’s complex code.
Software assurance, though a foundational element to cybersecurity and thus applicable to nearly everyone, does not have a clearly defined lead agency in the federal government. While there is widespread acknowledgement that static analysis tools are not meeting today’s testing requirements, modernizing static analysis tools is not a high priority. Project success is achieved when software tools and test-case generation techniques are transitioned into use by the broader software assurance and software development community, through deployment to the SWAMP or through open source releases. A longer term objective is that the community will see the value in keeping software analysis tools current and pursue this on their own.
Kestrel Technology, LLC: This effort is developing an architecture for static software analysis and expanding the breadth of coverage for static analysis tool evaluation and benchmarking, test-case generation and reporting. Test-case generation and improved tools will be integrated into the Software Assurance Marketplace (SWAMP).
GrammaTech: The performer is developing a repeatable methodology for testing, evaluating and modernizing existing open-source static analysis tools. Test-case generation and improved tools will be integrated into SWAMP.