science & technology directorate, cyber security division · pdf file§jd power study...
TRANSCRIPT
Kevin E. GreeneCyber Security DivisionDHS Science & Technology
Science & Technology Directorate, Cyber Security Division
The Ongoing Need for Software Assurance R&D
Software is evolving
2
‘The Future of digital systems is complexity, and complexity is the worst enemy of security.”Bruce Schneier
Crypto-Gram Newsletter, March 2000
The software footprint is growing
Software is evolving
3
§ IoT is real and scary
§ Gartner, Inc. forecast § 6.4B connected
devices in 2016
§ 20.8B connected devices by 2020
More Code, More Problems
4
Attack Surface
§ Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated proof of concept attack that remotely controlled car
§ JD Power study suggest that software is to blame for 15% of car recalls
§ GM recalls 4 million vehicles after software linked to 1 death
§ Cybersecurity and recalls expected for 203M cars by 2022
§ A new car contains about 100 million lines of code
Continuous Everything
§ Building faster
§ Security in a build pipeline can clog it up
§ Quick & dirty solutions –we’ll fix later
§ Carry over of technical debt
The bad and Ugly
DevOps is a useful practice for organizations, but….traditional security, change management, compliance practices have not kept pace.
Software Exposure
7
Over 90% of security breaches can be traced back to poorly developed and designed systemsSource: SEI/CMU
Current State of Tooling
8
Software Assurance tools can’t keep up§ Tools are shallow and oversimplify
§ Henny Sipma, Computer Scientist, Kestrel Technology –“Static analysis capabilities are 20 years behind the rapid pace of software”
§ Software systems are larger and more complex
§ Dynamic programming languages introduces new challenges
§ Dr. James Hill, Computer Professor, IUPUI – “Tool vendors rather err on the side of caution”….
Our Visionary Goal Alignment
11
TechTransition
Software Assurance aligns with S&T Visionary Goal: Trusted Cyber Future and with 2014 QHSR - Safeguarding and Securing Cyberspace - QHSR Mission 4
Software Assurance Vision: Enable the adoption of software quality assurance tools and techniques throughout the software development life cycle Software Assurance Goal: Advance the capabilities, methods, and services in software quality assurance tools.
Objective 1: Partner with government, academia and industry to develop R&D capabilities and technologies to advance, modernize and improve software quality assurance tools.
Objective 2: Transition successful R&D technologies to the SWAMP; to the open-source community and through commercialization for broader use and adoption.
Objective 3: Take a leadership role in the software assurance community in federal government and industry to identify gaps in state-of-the-art software quality assurance tools and capabilities.
The Need for Software Assurance R&D
12
TechTransition
1. Forward leaning capabilities are lacking
2. Software Assurance have not kept pace with modern software
3. Software assurance is the 1st line of defense
4. Heartbleed – need I say more?? L
DHS S&T Response
13
§ Modernize static analysis capabilities
§ Push forward state of the art in software analysis§ SAST, DAST, AVC,
Binary, and Mobile
§ Leverage proactive approach to reduce attack surface in software
TechTransition
TechTransition
What we look like today….
New
New
Static Tool Analysis Modernization Project (STAMP)
14
TechTransition
1 2 3 4
Evolve and develop next generation test cases
Tool evaluation and gap analysis
Develop modernization framework
Consumer Report on ”sweet spots”
Project Motivations• HGTV – Property
Brothers• NSA’s CAS Tool
Study• NIST’s SATE
Program• SWAMP
STAMP Technical Areas
Software Quality Assurance (SQA)
15
TechTransition
§ The most mature of the four programs
§ Commercialization & Transition Successes§ Secure Decision (Code Pulse, Code Dx), Denim Group (Thread Fix),
Grammatech (Code Sonar), Kestrel (Code Hawk), KDM Analytics (TOIF), UC-Irvine (Reveal Droid), Coverity (Scan Project)
§ 9 SQA technologies are in the SWAMP§ Hybrid Analysis Mapping (HAM) recognized in Gartner’s Application
Vulnerability Correlation (AVC) Hype Cycle
§ Transition customers – financial banks, government, consulting firms, healthcare, insurance
§ Funded work at U-Nebraska Omaha to support NIST 800-160 and NIST 800-53
§ Funded the Common Architecture Weakness Enumeration (CAWE) project at Rochester Institute of Technology (RIT)
Software Quality Assurance (SQA)
16
TechTransition
§ Reducing False positives in SQA tools
§ Binary analysis capability to address malicious software§ JHU/APL and RAM Labs
§ NIST/RIT vulnerability pattern analysis on NVD
§ RevealDroid detected FalseGuide Botnet – over 44 samples§ The botnet affected nearly 2 Million Android devices
Current Work
Application Security Threat & Attack Modeling
17
TechTransition
1 2 3 4Automated Threat Modeling
Automated Penetration Testing
Continuous Monitoring Dashboard
Project Goals• Real-time/on-
demand security testing
• Mimic hacker’s behavior
• Reduce the window of exposure
• Deep insight into exposed attack surface
Expand Hybrid Analysis
ASTAM Technical Areas
Software Assurance Marketplace (SWAMP)
18
TechTransition
§ Lowers the bar for organizations to formalize software assurance
§ Collaborative research environment for improving software assurance
§ Leverages the concept of many tools versus the sum of “1”
§ Over 20 tools deployed in SWAMP, to include commercial tools –Grammatech, Coverity, Parasoft, Code Dx, Thread Fix... § Black Duck, Veracode and Sonatype on roadmap§ Support for Java, C/C++, Ruby/Rails, JS, and Python
§ Enforces the principles of “continuous assurance”
§ Integrated in computer science curriculums
§ Used in NIST’s SATE program
§ Open-source version is available called – SWAMP-in-a-Box (SiB)
What’s Next??
19
TechTransition
§ Exploring next program to reduce the window of exposure for vulnerable systems§ Carry on work from DARPA’s Cyber Grand Challenge (CGC)
§ Continue to grow and expand SWAMP in a Box
§ Tech Transition and Commercialization of R&D technologies in pipeline
§ Need more software assurance in contracts and FISMA process
21
Kevin E. GreeneProgram Manager DHS S&T, Cyber Security DivisionEmail: [email protected]
For more information, visithttp://www.dhs.gov/cyber-research
http://www.dhs.gov/st-csd