Computerworld - The Air Force Research Laboratory this week awarded Santa Clara, Calif.-based Network Associates Inc. a $1.8 million contract to support research that may have widespread implications for the future of government and private-sector cybersecurity.
The contract is part of the Software Protection Initiative (SPI), a government program focusing on cutting-edge technologies to protect critical software that supports national and defense capabilities. However, the research being planned for the program could clearly benefit the private sector as well, experts said.
The focus of one research project is to produce a secure development repository with the overall goal of developing information assurance techniques and malicious-code scanning capabilities for software production systems, said Pete Dinsmore, director of research operations at Network Associates Laboratories. These techniques and capabilities will enhance software development security and cut down on software vulnerabilities, he said.
A second project will focus on protecting software from reverse-engineering -- which can be a critical part of the malicious hacker's tool box. Using reverse-engineering techniques, tools such as disassemblers and decompilers can extract and exploit information about the design and operation of software. Researchers from the Air Force and Network Associates plan to study the feasibility of constructing new defenses against reverse-engineering and embedding those defenses in critical software.
"This is cutting-edge," said Dinsmore. "In one case, we're doing research to understand software obfuscation and deobfuscation tools to understand the state of the art in how well a hacker can take apart the software you've created," he said.
"We're also focusing on advancing the state of the art in developing software by developing a secure [change management] repository that can ensure that the code that comes out of the repository only goes to the people it's supposed to go to, and only the code that was supposed to go into [the application] was actually integrated."
Alan Paller, director of research at the SANS Institute in Bethesda, Md., said government funding of this type of research could have a significant spillover effect for the entire software and Internet industry. "Government funding of advanced research on code analysis tools could lead to valuable resources for everyone," he said.
Paller said many advanced hackers no longer study software code. Rather, they rely on automated tools that isolate places in the object code where buffer overflows and similar problems are possible. "Developers should use those same tools first and have access to the most sophisticated tools available to the hackers," said Paller.
Charles Kolodgy, an analyst at IDC in Framingham, Mass., said that while the focus on reverse-engineering is unique, it can be adouble-edged sword.
"Many vendor vulnerabilities are discovered by people who take the code apart to look at it," he said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts