Workshop on Reducing Software Defects and Vulnerabilities

The summary provided here is based on the deliberations and feedback provided by workshop participants during and following the event. This should not be construed as the consensus opinion of the Software Productivity, Sustainability, and Quality Interagency Working Group.

Logistics

Event: Workshop on Reducing Software Defects and Vulnerabilities
Location: Arlington, VA
Date: October 6-7, 2016

Overview

The Software Productivity, Sustainability, and Quality (SPSQ) Interagency Working Group’s (IWG) Workshop on Reducing Software Defects and Vulnerabilities, held on October 6-7, 2016, explored the R&D challenges and opportunities at the intersection of software development and software security. A large percentage of the time and cost of software development, operation, and sustainment is attributable to the effort needed to discover, avoid, mitigate, and eliminate software defects.¹ This presents a major obstacle to reducing software vulnerabilities, of which software defects are a major source. In a dynamic market that relies on rapid development of software to bring innovations to the marketplace, the short-term economics favor meeting time-to-market and initial cost objectives without considering the lifecycle cost of potential defects and vulnerabilities in the delivered product.

The workshop convened experts from both the software engineering and security engineering communities in Government, academia, and the private sector to consider questions such as:

• How can security be built in to reduce software vulnerabilities while simultaneously reducing cost and time-to-market?
• What is the relationship between software defects and software vulnerabilities?
• How can the economic factors involved in eliminating defects and exploitable vulnerabilities be quantified?
• What (theoretical, empirical, practical) software engineering R&D carries over to software security engineering?
• What advancements in software development environments, processes, and technologies will simultaneously reduce software vulnerabilities, cost, and time-to-market for software-intensive systems that are evolving rapidly and/or are long-lived?

Challenges Identified

The SPSQ IWG consolidated the workshop output into four themes containing 13 issues, which includes challenges and R&D required to address these challenges, to reducing software defects and vulnerabilities.

Theme 1: Multi-dimensionality of the Problems of Software Development and Sustainment

Software expectation shortfalls are more than a problem of engineering technology. The quality of software is an artifact of the processes through which it is developed, tested, delivered, and sustained. These processes not only include software engineering processes, but also social and individual work processes. The effects of work-organization, management, rewards and incentives, human interaction, individual cognitive state and capacity, and such other social factors involved in software development are not well understood. Ensuring software is of high quality, which includes ensuring software is secure, means increasing our understanding of the effect of these processes on the quality of the product, the relationship between the quality of the process and the quality of the product, and the lifecycle economics of the product.

The complexity of modern software is a side-effect of current development and deployment practices. Many commercial off the shelf software systems are designed to be feature rich in order to address the needs of many possible users. The reuse or repurposing of code across different application programming interfaces, frameworks, libraries, and abstractions is a common approach to reducing the cost and time to realize new capabilities. However, this can result in software that is more complex and bloated, and not optimized for other attributes of the product (e.g., verifiability; vulnerability; execution resources).

Lack of high-quality software development tools leads to increased software defects and vulnerabilities. The availability of improved software development technology to the wide variety of software producers (e.g., industry, the public, academia, government, and open source communities) is critical to improving the quality and security of software.

Theme 2: Development, Sustainment, and Assurance of Secure Software

There are tradeoffs between conflicting quality attributes. The proponents of agile development processes aim to save time by avoiding overhead of requirements engineering and testing. However, too much agility raises concerns about quality and security, while too little agility raises concern about time-to-market.

The security of legacy systems remains a significant challenge. It is difficult to add new security measures to legacy systems, but doing so can contribute to reducing software vulnerabilities. Furthermore, vulnerabilities frequently emerge in legacy code that is used in new operational contexts. Tools that allow users to trim unnecessary code/features as well as validate and verify the correctness of the transformed software could help address the legacy challenge.

Developers need greater support to create secure software. The psychology literature discusses the potential negative consequences of operating beyond the upper bounds of human cognitive capacity. Research suggests that adding the responsibility for security to a developer’s extensive responsibilities (e.g., software functionality, performance, and sustainability) could be asking them to operate beyond their cognitive capacity. Furthermore, software vulnerabilities may be viewed as blind spots in developers’ heuristic-based mental models, which they rely upon when operating beyond their cognitive capacity. Developers need more support, in both training and tools, to develop software that meets security expectations of the community.

Theme 3: Economics of Software

The cost and time of checking for vulnerabilities is high and adds uncertainty to budgets and schedules. In general, the software-dependent sectors of the economy have unrealistic expectations for the cost of software development and sustainment. They often do not express their needs and expectations correctly, consistently, and unambiguously; cannot express the relative value of various attributes; and do not understand the effects of vulnerabilities on their cost and schedule objectives. Software developers would benefit from better understanding and assessment of the costs and benefits of different software development and assurance methods and tools, and their effect on product quality, cost, and schedule.

The productivity of the software sector of the economy is an elusive concept. It is hard to quantify both the economic productivity of software development and the contribution of software to the productivity of Government and the economy. This is due, in part, to the true cost and value of software being incomparable to those concepts for traditional capital investment, such as mechanical automation. Further, developers would benefit from a better understanding of the contribution of software in the public and private sectors, including the effect on their productivity. Accurately assessing the net economic benefit of software requires that we account for the cost and value of sustaining that software throughout its lifecycle.

Theme 4: R&D for Software Development, Sustainment, and Assurance

The design of a programming language can contribute to software vulnerability. Many software defects and vulnerabilities are a direct result of using programming languages that were developed before software security was a serious concern. Many such languages are easier to learn and faster to program in, contributing to their popularity. Use of these languages leads to unavoidable vulnerabilities and an acceptance of their inevitability. Much R&D focuses on developing new tools to detect and remove defects and vulnerabilities from existing software. However, more R&D is needed to develop new methods and new languages that ensure we can build software with designed-in assurance, including for security. For the existing languages that can immediately provide greater security, promoting their use requires developing new tools and libraries that will increase ease of use, sustained workforce development that includes technical training at the management level, and incentives for both the academic and private sector user communities.

R&D depends on validated data and data sharing. Software bug databases and vulnerability databases, assimilated from experience history, can serve as the basis for future empirical research, leading to the identification of factors that cause hazardous effects, and further leading to the development of preventative approaches.

Software sustainability, especially vulnerability-free code, does not receive enough attention. Techniques and approaches that enable the development of vulnerability-free code do not necessarily contribute to sustaining code free of vulnerabilities. Creating a new application includes thorough analysis of the system-level requirements, especially non-functional requirements such as security, which drive the system architecture. However, updates and enhancements (in general, modifications to the original system) are not performed with the same thoroughness. R&D is needed to help improve the practice of software modification, such as enabling small changes to software to be done with little effort, and performing the change-impact analysis more effectively and efficiently.

Graduating more U.S. PhDs capable of building effective analysis tools could contribute to reducing software defects and vulnerabilities. Abstract interpretation, satisfiability modulo theories, and symbolic execution are essential for developing sophisticated automated tools for detecting software defects and vulnerabilities. Producing more graduates with skills in programming language theory and formal methods, including at the PhD-level, could contribute to reducing software defects and vulnerabilities. However, realizing this goal requires greater commitment from the academic community to hire faculty to teach these skills, and a willingness to include these topics in the core computer science curriculum.

Vulnerabilities in software implementing autonomous decision making and control need further study. There is an increasing reliance on advanced autonomous decision-making and control software based on machine learning algorithms. Research is only beginning to reveal how such systems are vulnerable and what form attacks will take (e.g., deliberately false sensor data leading to incorrect conclusions). Unfortunately, our current tools, e.g., static analysis and fuzzing, are insufficient to answer these questions.

^{1. Defects, in this context, are understood in the general sense as either a fault (cause) or a failure (effect). See definition in IEEE Std 982.1-2005 (https://ieeexplore.ieee.org/document/1634994/definitions?anchor=definitions). ↩}