Software vulnerabilityS&T awards nearly $8 million to enhance open-source software static analysis tools
DHS S&T has awarded a $7.86 million contract to Kestrel Technology, LLC of Palo Alto, California to expand the coverage capabilities of static analysis tools used to detect potential vulnerabilities in new software systems and increase developer confidence in those tools. S&T’s Static Tool Analysis Modernization Project (STAMP) addresses the presence of weaknesses in software and deals with the root problem by improving software security before it is released by the developer.
The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded a $7.86 million contract to Kestrel Technology, LLC of Palo Alto, California to expand the coverage capabilities of static analysis tools used to detect potential vulnerabilities in new software systems and increase developer confidence in those tools.
S&T says that the award is issued as part of the Homeland Security Advanced Research Project Agency Cyber Security Division’s (CSD) Software Assurance Program, which is working with cybersecurity researchers in academia and the private sector to develop tools, techniques and capabilities that will advance the technologies used to analyze software for weaknesses that expose vulnerabilities. The Static Tool Analysis Modernization Project (STAMP) addresses the presence of weaknesses in software and deals with the root problem by improving software security before it is released by the developer.
“An investment in upgrading the effectiveness of static analysis tools, and increasing developer confidence in them, will pay off in the long run,” said DHS Acting Under Secretary for Science and Technology Dr. Robert Griffin. “Better tools will lead to better cybersecurity products to protect government and private-sector critical infrastructure and networks.”
Current static analysis tools have not kept pace with modern software, specifically its overall size and complexity that make it more difficult for these tools to perform accurately. For instance, none of the tools were able to find the weakness in OpenSSL that exposed the Heartbleed vulnerability in April 2014, a study by SWAMP found. Additionally, developers are less inclined to use software analysis tools if these tools generate a high number of false-positives.
Kestrel Technology will take a two-pronged approach in its research, titled “STARLITE: Static Analysis Architecture and Lifecycle Implementation, Test and Evaluation.” In the first area, it will expand the scope of coverage offered by static analysis tools by adding capabilities for Java test generation and .NET support and analysis tools, creating C/C++ vulnerability injectors, and developing plugins for commonly used software assurance and development tools to support continuous integration and delivery of software systems. The second area will focus on improving the usability aspect by decoupling the monolithic tool architecture that prevents developers from leveraging the strengths of many tools together to improve coverage. A tool study conducted by the National Security Agency’s Center for Assured Software suggest that using multiple static analysis tool may help improve coverage.
“The limited capabilities and poor performance of current static analysis tools are leading reasons why developers do not use them,” said Kevin Greene, program manager of the CSD Software Assurance Program. “Tools slow them down and clog up their continuous integration and delivery pipelines. This new S&T research will help reverse this trend, increase the use of static analysis tools and ultimately lead to the development of more secure software that is better able to thwart cyberattacks.”
