The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) awarded Kestrel Technology, LLC and GrammaTech, Inc. separate contracts worth about $8 million each to help improve static analysis tools used by developers to detect potential vulnerabilities in new software systems, DHS said the week of March 6.
Both contracts were issued as part of the Homeland Security Advanced Research Project Agency (HSARPA) Cyber Security Division’s (CSD) Software Assurance Program. The program is working with cyber security researchers in the private sector and academia to develop tools, techniques, and capabilities to advance the technologies used to analyze software for potential security vulnerabilities.
This is part of the Static Tool Analysis Modernization Project (STAMP), which addresses the presence of weaknesses in software and deals with the root problem by improving software security before the developer releases it.
S&T highlighted that current static tools have not kept pace with modern software because the tools cannot perform accurately given current software size and complexity. Indeed, none of the tools were able to find the weakness in OpenSSL that exposed the widespread Heartbleed vulnerability in 2014, according to the Software Assurance Marketplace (SWAMP). Developers are also less inclined to use software analysis tools if they generate a high number of false positives, S&T said.
SWAMP is a DHS-funded open, no-cost, computing platform meant to serve as a resource to the software community.
Under its contract Kestrel will specifically expand the coverage capabilities of static analysis tools and increase developer confidence in them. The company will conduct research in a two pronged effort called STARLITE: Static Analysis Architecture and Lifecycle Implementation, Test and Evaluation. The first area will have the company expand the scope of coverage offered by static analysis tools by adding capabilities for Java test generation and .NET support and analysis tools, creating C/C++ vulnerability injectors, and developing plugins for commonly used software assurance and development tools to support continuous integration and delivery of software systems.
The second area will center on improving the usability aspect by “decoupling the monolithic tool architecture that prevents developers from leveraging the strengths of many tools together to improve coverage,” S&T said in a statement.
DHS said a tool study conducted by the National Security Agency’s (NSA) Center for Assured Software suggests using multiple static analysis tools may help improve coverage, with average tools finding only up to 17 percent of security weaknesses in software.
“The limited capabilities and poor performance of current static analysis tools are leading reasons why developers do not use them. Tools slow them down and clog up their continuous integration and delivery pipelines. This new S&T research will help reverse this trend, increase the use of static analysis tools and ultimately lead to the development of more secure software that is better able to thwart cyberattacks,” Kevin Greene, program manager of the CSD Software Assurance Program, said in a statement.
The company “prioritize tests, evaluation efforts and tool improvements based on the needs of the targeted coding languages, application domains and strengths of the static analysis tools,” S&T said.
DHS said that detecting weaknesses could lead to vulnerabilities being found before a product even leaves a software developer’s initial desktop, reducing the cost of software failures and minimizing the attack surface exposed in poorly-developed software. Improving the capabilities and techniques of software analysis tools will also give developers more confidence in using them earlier in the software development process, S&T said.
“This S&T research will play a key role in reinvigorating static analysis tools that will lead to the creation of better, more secure software,” Greene added.