Researchers Help Address Software Weaknesses

Millions and millions of lines of computer software code are written around the world every day, advancing technology but also creating an obvious problem.

Some of it will be bad, some of it will create unintended consequences and some of it will be malicious.

Who keeps track of this stuff? And wouldn’t it be nice to find potential problems before they become actual problems, if not disasters?

Researchers from Indiana University’s Pervasive Technology Institute are joining the battle and will serve as collaborating partners on a major grant from the U.S. Department of Homeland Security to address vulnerabilities arising during the process of software development.

The Department of Homeland Security awarded a $23.6 million grant to the Morgridge Institute for Research at the University of Wisconsin-Madison to create the Software Assurance Marketplace. Over the next five years, the marketplace will work closely with developers of new software analysis technology and the open source community to advance the security of software, according to IU Communications.

As part of the grant, IU’s Center for Applied Cybersecurity Research, Grid Operation Center and Global Research Network Operations Center will receive $1.9 million to provide operational monitoring, cybersecurity analysis and user support to the marketplace, The Herald-Times reported.

“This project demonstrates IU’s unique abilities to leverage institutional strengths in cybersecurity, monitoring and operational support,” IU’s Von Welch said in an IU news release. “As a first-of-its-kind system, the Software Assurance Marketplace will introduce new challenges in cybersecurity and operational monitoring, making it a perfect application of the Pervasive Technology Institute’s applied research.”

Welch is the deputy director of the Center for Applied Cybersecurity Research and will serve as the leader for IU’s participation in the project.

IU also will perform annual risk analysis, lead cybersecurity technical design and operations, develop and maintain policies and procedures for incident detection and response, and lead the handling of cybersecurity-related incidents in the marketplace. IU personnel will also handle the establishment of a 24/7 call center and trouble ticket system, and will also provide first-tier user support.

Initial operating capabilities for the Software Assurance Marketplace will include the ability to continuously test up to 100 open-source software packages against five software assurance tools on eight platforms, including Macintosh, Linux and Windows. The secure research facility will be able to analyze more than 275 million lines of code per day and also will introduce new tools to reduce the “false positive” readings that now limit the effectiveness of software assurance testing methods.

“False positives are more of a problem than people realize,” Welch said. “With all of those millions of lines of software being written, you’re going to be turning up things that kind of look suspicious but actually are OK. To stay on top of all of the languages and all of the technologies is a huge, tremendous problem.”

Open source software development is also a blessing and a curse, Welch said. On one hand, he said, it enables educational institutions to create software that can be shared, refined and tailored to fit the specific needs of users without having to pay sometimes exorbitant fees to private sector businesses with proprietary products.

“On the other hand, it’s also an open development process and environment, and one has to be careful about who comes along and contributes to such things,” Welch said.

The IU cybersecurity specialist said the Wisconsin-based marketplace will be constructed in 2013 and expects to be up and online in 2014.