For Immediate Release
DHS Science & Technology Press Office
Contact: S&T Public Affairs, (202) 254-2385
WASHINGTON—The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded a $8,000,031 contract to Ithaca, New York-based GrammaTech, Inc. to develop a repeatable methodology for testing, evaluating and modernizing open-source static analysis tools used by developers to detect potential vulnerabilities in new software systems.
The award is issued as part of the Cyber Security Division’s Software Assurance Program, which is working with cybersecurity researchers in academia and the private sector to develop tools, techniques and capabilities that will advance the resources used to analyze software for potential security vulnerabilities. The Static Tool Analysis Modernization Project (STAMP) addresses the presence of weaknesses in software and deals with the root problem by improving software security before it is released by the developer.
“Improving the overall security of the software systems used in the nation’s critical infrastructure and networks begins at the early phases of the software-development lifecycle,” said DHS Acting Under Secretary for Science and Technology Dr. Robert Griffin. “Upgrading the effectiveness of static analysis tools will help organizations build better quality software and more secure systems.”
Current static analysis tools have not kept pace with modern software, specifically the overall size and complexity of software that make it more difficult for these tools to perform accurately. For instance, none of the tools were able to find the weakness in OpenSSL that exposed the Heartbleed vulnerability in April 2014, a study by SWAMP found. Additionally, developers are less inclined to use software analysis tools if these tools generate a high number of false-positives.
Through its research—titled “STAMPout: Improving Software Security with Open-Source Static Analysis Tools”—GrammaTech, Inc. will improve the efficiency of static analysis tools across multiple coding languages, including C/C++, Java and dynamic languages such as JavaScript and Python. GrammaTech will prioritize tests, evaluation efforts and tool improvements based on the needs of the targeted coding languages, application domains and strengths of the static analysis tools.
Detecting weaknesses that could lead to vulnerabilities before the product leaves a software developer’s desktop would help reduce the cost of software failures and minimize the attack surface that’s often exposed by poorly developed software. Also, improving the capabilities and techniques of software analysis tools will give developers more confidence in using them earlier in the software-development process.
“A study conducted by the National Security Agency’s Center for Assured Software found on average static analysis tools—whether commercial or open-source—find only up to 17% of security weaknesses in software, leaving considerable room for improvement,” said Kevin Greene, program manager of the Software Assurance Program. “This S&T research will play a key role in reinvigorating static analysis tools that will lead to the creation of better, more secure software.”
CSD’s mission is to enhance the security and resilience of the nation’s critical information infrastructure and the Internet by developing and delivering new technologies, tools and techniques to defend, mitigate and secure current and future systems, networks and infrastructure against cyberattacks. To this end, the division conducts and supports technology transitions and leads and coordinates R&D among department customers, government agencies, the private sector, academia and international partners. For more information about CSD, visit cyber research or email SandT.PCS@hq.dhs.gov.
###