DARPA Explores How to Automate Software Assurance Assessments

The Defense Department wants Congress to allow it to make software development a single line item in its fiscal 2020 budget. The department’s research arm is also exploring ways to automate software assurance and determine if the DOD’s apps meet security standards. 

In May, the Defense Advanced Research Projects Agency unveiled a new program called Automated Rapid Certification of Software (ARCOS), which is designed to use software assessment evidence and then automatically figure out software’s level of risk.

As the DOD and armed forces rely more on software and artificial intelligence platforms, it will be more critical to assure that the software they are deploying is coded correctly and that vulnerabilities are detected quickly. 

“Software requires a certain level of certification — or approval that it will work as intended with minimal risks — before receiving approval for use within military systems and platforms,” notes Ray Richards, a program manager in DARPA’s Information Innovation Office, in a press release. “However, the effort required to certify software is an impediment to expeditiously developing and fielding new capabilities within the defense community.” 

MORE FROM FEDTECH: Find out why human-centric security is the best cybersecurity defense. 

DARPA Wants to Use Big Data to Assess Software

DARPA notes that, currently, the software certification process is “largely manual and relies on human evaluators combing through piles of documentation, or assurance evidence, to determine whether the software meets certain certification criteria.” 

This takes a great deal of time, is costly and can result in evaluations of software that do not catch vulnerabilities, as evaluators bring their own experience and biases to bear, DARPA argues. This makes it difficult to uniformly evaluate software. 

The ARCOS program is designed to automate the process and “provide justification for a software’s level of assurance that is understandable,” the DARPA release notes. It leverages recent advances in model-based design technology, “Big Code” analytics, mathematically rigorous analysis and verification, as well as assurance case languages, according to DARPA.

As Defense Systems reports, for several years DARPA has been working on “Big Code” analytics through a separate initiative called Mining and Understanding Software Enclaves, or MUSE, which “seeks to leverage software analysis and big data analytics to improve the way software is built, debugged and verified.” 

ARCOS researchers will evaluate “progressively more challenging sets of software systems and associated artifacts,” DARPA says, moving from a single software module to a set of interacting modules and then to a realistic military software system.