The Pentagon Wants to Automate Software Assurance

The Pentagon Wants to Automate Software Assurance

The Pentagon’s research office is working to build tools that automatically check military software applications for potential vulnerabilities.


Today, the department relies heavily on human analysts to dissect IT systems and determine whether they meet security standards set out by Defense officials. But by handing over much of that process to machines, the Pentagon could get more consistent, speedy and trustworthy results, according to the Defense Advanced Research Projects Agency.


“Current certification practices are antiquated and unable to scale with the amount of software deployed by the Department of Defense,” DARPA officials said. “The use of humans to evaluate the quantities of assurance evidence that support software systems results in superficial, incomplete, and/or unacceptably long evaluations."


DARPA recently started recruiting researchers for the Automated Rapid Certification of Software program, which aims to create tech that both automatically determines what security criteria a given system must meet and checks whether it hits that threshold. Ultimately, the tools could help the Pentagon reduce software certification costs and deploy new systems in the field faster, officials said.


According to the solicitation, the tech would follow a “compositional certification” process when checking whether a given system is safe to use. Essentially, that means determining that individual software components are secure and then making sure they remain safe when combined into a bigger application.


Different software systems often share the same components, so this compositional approach would allow tools to transfer what they know about a certain chunk of code from one analysis to another, DARPA said. By applying the information it already knows about a give ..