The federal government is planning to focus some of its research and development efforts on developing methods for building security into software and hardware systems used in federal agencies. This a major change for the government, which has historically focused its energies on defenses such as IDS, custom desktop images and firewalls.
In the new document published by the Executive Office of the President and the National Science and Technology Council, called “Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program“, comprises several different R&D focus areas, known in federal-speak as “themes”. The other themes include tailored trustworthy spaces, moving target and cyber economic incentives. These are mainly variations on familiar themes within other government strategies or policy documents, and involve providing incentives and motivations for making security flexible and ubiquitous in computing environments.
But it’s the section on designed-in security that is likely to draw the most attention, as it’s not something that the government has been focused on much in the past. Many of the recommendations and strategies that the White House and other agencies have released in recent years have focused most of their discussions on traditional defenses, and have not pai much attention to software security or the concept of building security in from the start. But that may be changing now.
“The DIS research theme focuses on building the capability to design, develop, and evolve high-assurance software-intensive systems predictably and reliably while effectively managing risk, cost, schedule, quality, and complexity. Assurance-focused engineering practices can simultaneously develop a system and the evidence needed to support its assurance case, yielding game-changing reductions in cost and increases in agility and flexibility over existing approaches that focus on after-the-fact assurance. This can also enable rapid evolution and tailoring of systems initially developed using these practices,” the new document says.
“A key focus within this theme is on the usability of tools for developing attack-resistant software systems. Improving the usability of tools for specifying, implementing, analyzing, and testing software, and for composing systems of software components, is essential in order to gain their widespread adoption by developers, whose participation is needed in order to change the game. The impact of DIS is intended to extend to the development and evolution of mainstream software ecosystems and infrastructures. Future software ecosystems and infrastructures that employ this cost-effective method for producing and evolving high-assurance systems can lay a new, sound foundation for cyber civilization.”
The new document released this week is meant to serve as the strategic plan for agencies and entities within the government that perform research and development on technology and security. It’s part of the Obama administration’s overarching cyberspace and cybersecurity plans, and, while it’s not long on specifics, it’s an interesting read in some respects.
The strategy says that one of the key drivers behind the focus on designing-in security is the improvements in software analysis and vulnerability detection tools in recent years.
“Over the past ten years, the field has shown substantial progress in methods for detecting flaws in software through static and dynamic analysis, producing checkable proofs that demonstrate that software is free of classes of flaws and proving that algorithms and their implementations have desired properties. This progress gives impetus to the new Designed-in Security research theme, whose intent is to stimulate, accelerate, and focus research in the many disciplines that contribute to the design and delivery of large-scale software systems that require verifiable assurance of the system’s resistance to attack,” the plan says.
Chris Wysopal, CTO of Veracode, said that he’s encouraged to see the government paying some attention to the idea of building security in to applications from the beginning.
“There are 3 key things in there. The first is that vulnerability reduction in possible and a major part of a cybersecurity program. Finally, it is not all about firewalls, IDS, and antivirus. The second is the recognition that automated static and dynamic analysis have greatly improved in the last ten years and can be used to reduce the number of vulnerabilities if used during the development process,” Wysopal said. “And third it recognizes that components of software systems are delivered from third parties and they need to provide evidence that they performed DIS. These are things I have been evangelizing for years now so it is good to see the signal get through.”