SBIR-STTR Award

Software is a mature discipline, yet more than 98 percent of all PCs have one or more vulnerable programs, and in the US there are 2.7 billion programs open for attack. Efforts to address the problem at the source--during software development--are shockingly inadequate, with many commercial Software Assurance tools focused on detection rather than working to become part of the development process. More effective Software Testing and Vulnerability Analysis is required to identify and remediate vulnerabilities before systems are deployed. The Secure Decisions Division of Applied Visions Inc. proposes to design and develop a Software Assurance Analysis and Visual Analytics system that can be integrated into the Software Development Life Cycle to identify, confirm, and understand weaknesses and vulnerabilities in source code. No single Software Assurance tool is likely to identify all vulnerabilities: we do not propose to develop yet another vulnerability detection method, but to develop a platform for correlating the results of multiple analysis tools. Our approach is to leverage existing tools by providing a framework for linking disparate testing and vulnerability analysis tools, and to provide a visual analytics platform that embeds a mechanism for feedback from human analysis into automated analysis.

To increase confidence that software is secure, researchers and vendors have developed different kinds of automated software security analysis tools. These tools analyze software for weaknesses and vulnerabilities, but produce massive data with many false positives. Further, the individual tools catch different vulnerabilities, often with little overlap. The NSA tested five static code analysis tools and found that 84pct of the vulnerabilities were identified by only one tool. These results point to the need to combine and correlate the results of multiple tools to ensure comprehensive vulnerability analysis. However, the disparate interfaces and nonnormalized results of each tool make correlation of their results taxing to the software developer. The Secure Decisions Division of Applied Visions Inc. is developing a Software Assurance Analysis and Visual Analytics platform that integrates the results of disparate software analysis tools into a visual environment for triage and exploration of code vulnerabilities. Software developers can explore voluminous vulnerability results to uncover hidden trends, triage the most important code weaknesses, and show who is responsible for introducing software vulnerabilities. Visual analytics focus the user`s attention on the most pressing vulnerabilities. By correlating and normalizing data from multiple tools, the overall vulnerability detection coverage of software is increased. ---------- Under our Phase II SBIR we developed a compelling new technology for software assurance called Code Dx. We used initial feedback from government agencies and industry experts, collected during beta testing and Version 1.0 evaluations, to produce Version 1.1 which is technically mature and ready for trial evaluations and sale. However, the path to commercial success requires more than technical capabilities. It requires execution of a commercialization plan; staffing and infrastructure to sustain marketing, sales and support; and the financing to support both. In this proposal we outline eight strategic commercialization objectives and a commercialization roadmap that identifies specific tactics and activities that must be completed to achieve those objectives. We further identify a subset of those activities that we seek to fund through the DHS Commercialization Readiness Pilot Program (CRPP), with the remaining activities to be funded with internal and potential venture investment. The proposed Statement of Work (SOW) represents the specific commercialization activities that the CRPP funds would support. The SOW includes activities related to creating awareness of and demand for Code Dx: developing a set of reference users; promoting Code Dx within the Application Security Testing (AST) community and raising awareness among those not engaged in AST due to cost or difficulty in use; outreach to security training organizations; filling in small competitive gaps such as IDE plug-ins; and establishing partnerships to accelerate marketing and sales.