Kevin E. GreeneCyber Security DivisionDHS Science & Technology

Science & Technology Directorate, Cyber Security Division

The Ongoing Need for Software Assurance R&D

Software is evolving

2

‘The Future of digital systems is complexity, and complexity is the worst enemy of security.”Bruce Schneier

Crypto-Gram Newsletter, March 2000

The software footprint is growing

Software is evolving

3

§ IoT is real and scary

§ Gartner, Inc. forecast § 6.4B connected

devices in 2016

§ 20.8B connected devices by 2020

More Code, More Problems

4

Attack Surface

§ Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated proof of concept attack that remotely controlled car

§ JD Power study suggest that software is to blame for 15% of car recalls

§ GM recalls 4 million vehicles after software linked to 1 death

§ Cybersecurity and recalls expected for 203M cars by 2022

§ A new car contains about 100 million lines of code

Continuous Everything

§ Building faster

§ Security in a build pipeline can clog it up

§ Quick & dirty solutions –we’ll fix later

§ Carry over of technical debt

The bad and Ugly

DevOps is a useful practice for organizations, but….traditional security, change management, compliance practices have not kept pace.

DevOps Challenges

6

Software Exposure

7

Over 90% of security breaches can be traced back to poorly developed and designed systemsSource: SEI/CMU

Current State of Tooling

8

Software Assurance tools can’t keep up§ Tools are shallow and oversimplify

§ Henny Sipma, Computer Scientist, Kestrel Technology –“Static analysis capabilities are 20 years behind the rapid pace of software”

§ Software systems are larger and more complex

§ Dynamic programming languages introduces new challenges

§ Dr. James Hill, Computer Professor, IUPUI – “Tool vendors rather err on the side of caution”….

Current State of Tooling

9

10

The Ongoing Need for Software Assurance R&D

Our Visionary Goal Alignment

11

TechTransition

Software Assurance aligns with S&T Visionary Goal: Trusted Cyber Future and with 2014 QHSR - Safeguarding and Securing Cyberspace - QHSR Mission 4

Software Assurance Vision: Enable the adoption of software quality assurance tools and techniques throughout the software development life cycle Software Assurance Goal: Advance the capabilities, methods, and services in software quality assurance tools.

Objective 1: Partner with government, academia and industry to develop R&D capabilities and technologies to advance, modernize and improve software quality assurance tools.

Objective 2: Transition successful R&D technologies to the SWAMP; to the open-source community and through commercialization for broader use and adoption.

Objective 3: Take a leadership role in the software assurance community in federal government and industry to identify gaps in state-of-the-art software quality assurance tools and capabilities.

The Need for Software Assurance R&D

12

TechTransition

1. Forward leaning capabilities are lacking

2. Software Assurance have not kept pace with modern software

3. Software assurance is the 1st line of defense

4. Heartbleed – need I say more?? L

DHS S&T Response

13

§ Modernize static analysis capabilities

§ Push forward state of the art in software analysis§ SAST, DAST, AVC,

Binary, and Mobile

§ Leverage proactive approach to reduce attack surface in software

TechTransition

TechTransition

What we look like today….

New

New

Static Tool Analysis Modernization Project (STAMP)

14

TechTransition

1 2 3 4

Evolve and develop next generation test cases

Tool evaluation and gap analysis

Develop modernization framework

Consumer Report on ”sweet spots”

Project Motivations• HGTV – Property

Brothers• NSA’s CAS Tool

Study• NIST’s SATE

Program• SWAMP

STAMP Technical Areas

Software Quality Assurance (SQA)

15

TechTransition

§ The most mature of the four programs

§ Commercialization & Transition Successes§ Secure Decision (Code Pulse, Code Dx), Denim Group (Thread Fix),

Grammatech (Code Sonar), Kestrel (Code Hawk), KDM Analytics (TOIF), UC-Irvine (Reveal Droid), Coverity (Scan Project)

§ 9 SQA technologies are in the SWAMP§ Hybrid Analysis Mapping (HAM) recognized in Gartner’s Application

Vulnerability Correlation (AVC) Hype Cycle

§ Transition customers – financial banks, government, consulting firms, healthcare, insurance

§ Funded work at U-Nebraska Omaha to support NIST 800-160 and NIST 800-53

§ Funded the Common Architecture Weakness Enumeration (CAWE) project at Rochester Institute of Technology (RIT)

Software Quality Assurance (SQA)

16

TechTransition

§ Reducing False positives in SQA tools

§ Binary analysis capability to address malicious software§ JHU/APL and RAM Labs

§ NIST/RIT vulnerability pattern analysis on NVD

§ RevealDroid detected FalseGuide Botnet – over 44 samples§ The botnet affected nearly 2 Million Android devices

Current Work

Application Security Threat & Attack Modeling

17

TechTransition

1 2 3 4Automated Threat Modeling

Automated Penetration Testing

Continuous Monitoring Dashboard

Project Goals• Real-time/on-

demand security testing

• Mimic hacker’s behavior

• Reduce the window of exposure

• Deep insight into exposed attack surface

Expand Hybrid Analysis

ASTAM Technical Areas

Software Assurance Marketplace (SWAMP)

18

TechTransition

§ Lowers the bar for organizations to formalize software assurance

§ Collaborative research environment for improving software assurance

§ Leverages the concept of many tools versus the sum of “1”

§ Over 20 tools deployed in SWAMP, to include commercial tools –Grammatech, Coverity, Parasoft, Code Dx, Thread Fix... § Black Duck, Veracode and Sonatype on roadmap§ Support for Java, C/C++, Ruby/Rails, JS, and Python

§ Enforces the principles of “continuous assurance”

§ Integrated in computer science curriculums

§ Used in NIST’s SATE program

§ Open-source version is available called – SWAMP-in-a-Box (SiB)

What’s Next??

19

TechTransition

§ Exploring next program to reduce the window of exposure for vulnerable systems§ Carry on work from DARPA’s Cyber Grand Challenge (CGC)

§ Continue to grow and expand SWAMP in a Box

§ Tech Transition and Commercialization of R&D technologies in pipeline

§ Need more software assurance in contracts and FISMA process

Our R&D Showcase

20

21

Kevin E. GreeneProgram Manager DHS S&T, Cyber Security DivisionEmail: kevin.greene@hq.dhs.gov

For more information, visithttp://www.dhs.gov/cyber-research

http://www.dhs.gov/st-csd