Prioritization of Weapon System Software Assurance Assessment
ABSTRACT: The Air Force, other government organizations, and security-critical software development companies could be more cost-effective by using COTS and open-source software in their information and weapons systems. However, these software sources have significant safety and security risks; the software must be carefully assessed and certified prior to use. Due diligence requires even contracted software to be carefully assessed for safety and security risks. We propose to build an assessment process that combines screening tools and existing detailed analysis tools. The result will be a tool-supported assessment process that enables software assessors to prioritize their detailed analysis efforts, that incorporates security policies in the assessment, and that unifies all the artifacts from human and automated reviews. The proposed tools will solve key challenges such as prioritizing assessment efforts, relating coarse screening results to fine-grained risks, creating assessment tools that accurately predict levels of risk, and auditing tools that can usefully summarize results from disparate automated tools. Organizations responsible for assessments will benefit from a more efficient assessment process, an integrated but extensible set of tools for assessments, and higher confidence in the end result. BENEFIT: A process and tools for assessing the safety and security aspects of executable binaries is useful for any organization that is concerned about the quality of its software and protecting the information it holds. However, military organizations and companies that supply military software have a particularly strong concern for software security. It is known that hostile actors are targeting high-profile and high-value miltary targets. In addition, safety and correctness of software is also important. Faults in embedded software (e.g. weapons systems) can have grave consequences; even faults in desktop systems can lead to inaccurate information or delayed responses in critical situations. Commercial companies have corresponding conerns. Security breaches are highly costly and detrimental to a company's business. Safety errors in code can create major liabilities for the company and risks to human life. Thus military and commercial companies would benefit from the tools proposed here: unified assessment processes that enable documented, prioritized software assessments of safety and security risks; adherence to stated security policies; and an integrated set of detailed automatic assessment tools.
Small Business Information at Submission:
317 N. Aurora Street Ithaca, NY -
Number of Employees: