Phase II year
2010
(last award dollars: 2014)
Phase II Amount
$1,036,995
To increase confidence that software is secure, researchers and vendors have developed different kinds of automated software security analysis tools. These tools analyze software for weaknesses and vulnerabilities, but produce massive data with many false positives. Further, the individual tools catch different vulnerabilities, often with little overlap. The NSA tested five static code analysis tools and found that 84pct of the vulnerabilities were identified by only one tool. These results point to the need to combine and correlate the results of multiple tools to ensure comprehensive vulnerability analysis. However, the disparate interfaces and nonnormalized results of each tool make correlation of their results taxing to the software developer. The Secure Decisions Division of Applied Visions Inc. is developing a Software Assurance Analysis and Visual Analytics platform that integrates the results of disparate software analysis tools into a visual environment for triage and exploration of code vulnerabilities. Software developers can explore voluminous vulnerability results to uncover hidden trends, triage the most important code weaknesses, and show who is responsible for introducing software vulnerabilities. Visual analytics focus the user`s attention on the most pressing vulnerabilities. By correlating and normalizing data from multiple tools, the overall vulnerability detection coverage of software is increased. ---------- Under our Phase II SBIR we developed a compelling new technology for software assurance called Code Dx. We used initial feedback from government agencies and industry experts, collected during beta testing and Version 1.0 evaluations, to produce Version 1.1 which is technically mature and ready for trial evaluations and sale. However, the path to commercial success requires more than technical capabilities. It requires execution of a commercialization plan; staffing and infrastructure to sustain marketing, sales and support; and the financing to support both. In this proposal we outline eight strategic commercialization objectives and a commercialization roadmap that identifies specific tactics and activities that must be completed to achieve those objectives. We further identify a subset of those activities that we seek to fund through the DHS Commercialization Readiness Pilot Program (CRPP), with the remaining activities to be funded with internal and potential venture investment. The proposed Statement of Work (SOW) represents the specific commercialization activities that the CRPP funds would support. The SOW includes activities related to creating awareness of and demand for Code Dx: developing a set of reference users; promoting Code Dx within the Application Security Testing (AST) community and raising awareness among those not engaged in AST due to cost or difficulty in use; outreach to security training organizations; filling in small competitive gaps such as IDE plug-ins; and establishing partnerships to accelerate marketing and sales.