DHS Funds Research to Improve Software Security Analysis


The Science and Technology Directorate awarded a contract to standardize the process for evaluating static analysis tools, which agencies use to hunt for bugs in their IT systems.

The Homeland Security Department last week awarded a noncompetitive, sole-source contract that could eventually help the government better find and patch vulnerabilities in its IT infrastructure.

Under the contract, GrammaTech, a New York-based software developer, will create a standardized process for evaluating open-source static analysis tools, the tech agencies use to scan software for known vulnerabilities. The company’s work will support the Static Tool Analysis Modernization Project, or STAMP, an effort by Homeland Security’s Science and Technology Directorate to improve the software security tools available across government.

GrammaTech has already worked with the Science and Technology Directorate on STAMP, and awarding the contract to another vendor would result in “a significant duplication of effort and investment,” Homeland Security officials wrote in a post on FedBizOpps. 

As security researchers uncover hundreds of new software vulnerabilities every week, the government is having a hard time keeping its sprawling IT ecosystem secure. The flood of new bugs means agencies must constantly scan and patch their IT systems, but the tools they use have fallen behind the times, according to Homeland Security officials.

“The current state-of-the-art software assurance tools have not kept pace with modern software,” they said in the post. “Oftentimes these tools have difficulty tracking data flows through complex and large software systems, to the point that software analysis tools oversimplify and make assumptions about software code that is inaccurate.”

Through the STAMP program, the department intends to help agencies access a pool of reliable software analysis tools would enable continuous evaluation of their IT infrastructure and provide more accurate assessments of potential vulnerabilities.

The tech developed under STAMP will eventually become available in the Software Assurance Marketplace, an open-source repository of security evaluation tools funded by the Homeland Security Department. Under the contract, GrammaTech will spend up to 18 months developing a methodology for consistently testing, evaluating and improving those static analysis tools, according to the post.