Streamlining software development is vital to our nation’s infrastructure in both the public and the private sector. On January 31, 2019, the Department of Homeland Security’s Science and Technology Directorate made it known that they have combined two research projects to provide real-world “BugInjector” cases to aid in the faster development of more secure software. Specifically, DHS seeks to improve static code analysis techniques and integrate these improved methods into the development chain. The research projects involved are the Static Tools Analysis Modernization Project (STAMP) and the Software Assurance Marketplace (SWAMP). Together, these projects will improve static analysis, increase the availability of assurance methods, and improve the security and quality of software available to both public and private entities.
The STAMP project works to improve static code software analysis by smoothly interfacing these improvements with development operations (DevOps). Such enhancements would demonstrate more precise analysis through lower false-positive occurrences and allow more transparency of false-negatives which frequently allow risks to remain in post tested software. These stay behind risks increase software vulnerability offering plenty of opportunity for those working to harm critical infrastructure. The focus on static testing improvements allows researchers to find flaws earlier in the product life cycle before running a program (during coding). These flaws could be missed using dynamic analysis, which occurs after you run a program (post coding). Through automation, with static code analyzers, the chance of human error is removed. This increases the speed and accuracy of software development leading to a shorter “to market” life cycle. With the addition of a real-world repository of test cases (9,700 BugInjector cases) from STAMP, SWAMP is further able to strengthen the software development process by making available a publicly accessible marketplace for developers to affirm their products.
A national market place such as SWAMP offers economies of scale through collaboration, sharing of techniques, and resource availability which facilitates the earlier adoption of assurance methods, making it easier for new entrants, and faster turnaround of error rectification for all developers. Overall, this increases the security of our infrastructure and contributes to a stronger economy. The Acting Under Secretary for Science and Technology at DHS, William N. Bryan stated “software powers most of the nation’s economy and critical infrastructure.”
In conclusion, software is the key to secure infrastructure and a stable economy in today’s world. So, by offering real-world research and development opportunities with proven free market principles, we can improve software analysis, bring products to market faster, and improve infrastructure security. Joint projects like SWAMP and STAMP enable this to happen.