Computerworld - The Air Force Research Laboratory this week awarded Santa Clara, Calif.-based Network Associates Inc. a $1.8 million contract to support research that may have widespread implications for the future of government and private-sector cybersecurity.
The contract is part of the Software Protection Initiative (SPI), a government program focusing on cutting-edge technologies to protect critical software that supports national and defense capabilities. However, the research being planned for the program could clearly benefit the private sector as well, experts said.
The focus of one research project is to produce a secure development repository with the overall goal of developing information assurance techniques and malicious-code scanning capabilities for software production systems, said Pete Dinsmore, director of research operations at Network Associates Laboratories. These techniques and capabilities will enhance software development security and cut down on software vulnerabilities, he said.
A second project will focus on protecting software from reverse-engineering -- which can be a critical part of the malicious hacker's tool box. Using reverse-engineering techniques, tools such as disassemblers and decompilers can extract and exploit information about the design and operation of software. Researchers from the Air Force and Network Associates plan to study the feasibility of constructing new defenses against reverse-engineering and embedding those defenses in critical software.
"This is cutting-edge," said Dinsmore. "In one case, we're doing research to understand software obfuscation and deobfuscation tools to understand the state of the art in how well a hacker can take apart the software you've created," he said.
"We're also focusing on advancing the state of the art in developing software by developing a secure [change management] repository that can ensure that the code that comes out of the repository only goes to the people it's supposed to go to, and only the code that was supposed to go into [the application] was actually integrated."
Alan Paller, director of research at the SANS Institute in Bethesda, Md., said government funding of this type of research could have a significant spillover effect for the entire software and Internet industry. "Government funding of advanced research on code analysis tools could lead to valuable resources for everyone," he said.
Paller said many advanced hackers no longer study software code. Rather, they rely on automated tools that isolate places in the object code where buffer overflows and similar problems are possible. "Developers should use those same tools first and have access to the most sophisticated tools available to the hackers," said Paller.
Charles Kolodgy, an analyst at IDC in Framingham, Mass., said that while the focus on reverse-engineering is unique, it can be adouble-edged sword.
"Many vendor vulnerabilities are discovered by people who take the code apart to look at it," he said.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!