Software Quality Assurance

The nation’s critical infrastructure (energy, transportation, telecommunications, banking and finance, and more), businesses and services are extensively and increasingly controlled and enabled by software. However, weaknesses in software may expose vulnerabilities that put our critical infrastructure resources at risk. In 2014, the National Vulnerability Database (NVD) reported more than 7,900 vulnerabilities. That's the largest number of vulnerabilities ever reported in one calendar year – a 33 percent increase from the last three previous years. This risk is compounded by software size and complexity, and the growing reliance on reusable software code and open source software in organizations.

In recent years, the open source technology model has gained considerable momentum in the commercial market as well as throughout government information technology (IT) systems. Thousands of open source software systems and tools are used across the federal government. Such software is often less than fully tested, with uncoordinated maintenance, development, and use. The need for assured software is reflected in multiple sections of the “Federal Plan for Cyber Security and Information Assurance Research and Development” as well as sector-specific documents, including those from the Finance Sector.

The Software Quality Assurance project will develop tools, techniques and research infrastructures for analyzing software to identify potential security vulnerabilities associated with our Nation’s critical infrastructure and networks. Specifically, this project addresses the presence of internal flaws and weaknesses in software and deals with the root of the problem by improving software security. Test environments for these tools will also be built; one such facility is the SoftWare Assurance Market Place (SWAMP), which will develop a research infrastructure that can be used by open source and commercial software product developers to test the security functionality of their software using source code analysis techniques to discover and eliminate weaknesses early in the software development process, that will help reduce the number of vulnerabilities in the overall software supply chain.