Northport, NY—December 18, 2017—Secure Decisions, a division of Applied Visions, Inc. and a recognized leader in cyber security, has been selected by the Defense Advanced Research Projects Agency (DARPA) for a Phase I Small Business Innovation Research (SBIR) contract to research why some software developers write software that is secure and sound, while others write software applications fraught with security vulnerabilities and quality issues. The goal of the project is to determine and develop methods to measure the human factors underlying code security. These factors will include specific coding activities performed by software developers and teams, human characteristics of development teams, and work environments. The results of this research could be used to identify and mitigate the impact of these factors on future software development projects, to help assure their security and quality.

Insecure software is at the root of many—some say most—cyber security incidents. The Software Engineering Institute estimates that 90% of cyber incidents are traceable to the attacker’s exploitation of software defects, probably introduced accidentally by software developers. The 2016 Verizon Data Breach report indicates that 40% of all data breaches were achieved by attacking a web application containing vulnerabilities inserted during its development. Yet little attention has been given to discovering the factors that influence whether a developer is likely to deliver code with vulnerabilities.

By contrast, other industries have developed methods to prevent workplace accidents and production problems. The environment of a factory floor is tightly monitored and controlled for both worker safety and product quality. Safety regulations in some industries mandate limits on overtime, for example, to prevent costly missteps from overworked employees. These regulations, private and governmental, have been put in place because it is understood that environments and human behaviors have direct impacts on the quality and safety of both worker and product. Yet no such regulations exist for developing software, in part because it is not yet understood what environments and human behaviors contribute to inserting software vulnerabilities, accidentally or purposefully.

The objective of this SBIR is to fill the gap in understanding how human factors influence secure software development. In Phase I, Secure Decisions, in collaboration with experts from the Rochester Institute of Technology (RIT), will analyze portions of code with known vulnerabilities to determine the developer activities and characteristics most likely to be associated with those vulnerabilities. According to Dr. Anita D’Amico, the Principal Investigator for this research, “Our research team will analyze a portion of the Chromium web browser, which is the open-source repository underlying Google Chrome. This is a well-documented codebase, with publicly disclosed and patched vulnerabilities. Our research will start with a historical analysis of when and how various vulnerabilities were introduced into specific parts of Chromium.”

Secure Decisions and RIT will look at how factors—such as the degree of collaboration among developers, time of day when code was committed, and developer experience—correlate with the quality and security of the code they produced. In later stages of this research, the Secure Decisions team aims to create a model based on these factors that can predict specific locations in a codebase where security and vulnerability issues are likely to be found. “We also envision applying our results to identify the work conditions and developer behaviors that precede the introduction of software vulnerabilities, so that steps can be taken to prevent them,” Dr. D’Amico said. Throughout the research phases, RIT’s Institutional Review Board processes will assure that private data is protected.

This research will be used by the rapidly growing application security segment of the cyber security market. Application security product and services companies are looking for better ways to find vulnerabilities in existing software and prevent their introduction in future versions.

This Phase I SBIR’s base period is nine months, with a three month option period to follow. DARPA will determine whether to fund the next phase based on Secure Decisions’ progress in Phase I.

See the Newsday article written by Ken Schachter.

About Secure Decisions:

Secure Decisions was created as a division of Applied Visions, Inc. to conduct R&D and develop innovative technologies in cyber security, including network defense, infrastructure protection, application security, intelligence analysis, and data visualization. Secure Decisions develops tools for decision-makers to analyze large amounts of complex data, and to provide cutting-edge security measures to protect their proprietary information. In 2015, the application security R&D conducted by Secure Decisions led to the development of a new application vulnerability correlation and management system, which is now commercially available through a spin-out company called Code Dx, Inc.