Why Johnny and Janie Can’t Code Safely: Bringing Software Assurance to the Masses

While we’re all furiously working on new techniques to automate the finding of weaknesses and even vulnerabilities in software, relatively few programmers in the real world are benefiting from our work. The reasons for this situation are myriad, ranging from lack of training, awareness, and economic incentives on the part of the users; complex and only partially useful tools on the part of the assurance tool developers; legal barriers to open reporting of software problems; a confusing regulatory landscape with few standards; and a lack of effective curriculum at most universities for students learning software skills.

As a step towards improving the state of software assurance tools in the marketplace and increasing the adoption of software assurance practices by programmers, the U.S. Department of Homeland Security funded a 5-year project to establish the Software Assurance Marketplace (SWAMP). The core service of the SWAMP is an open (free) facility where programmers can bring their software to be run against a large suite of both commercial and open source assessment tools. In addition, tool developers can use the SWAMP-developed resources to speed their tool developments, making it easier to compete with established research projects and commercial products. The SWAMP also serves as a resource for classroom instructors and for researchers studying the software assurance process.

I will discuss our experiences trying make an impact on the adoption of software assurance practices, the obstacles to making such an impact, and how the security research community (you!) can make this mission more effective.

Barton Miller is Professor of Computer Sciences at the University of Wisconsin. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.

In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation." Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.