CISA’s Efforts Towards Software Understanding


By Christine Lai and Chris Butera, Office of the Technical Director 

Shifting the balance of cybersecurity risk from small organizations and consumers to technology providers and software developers is a priority for the Cybersecurity and Infrastructure Security Agency (CISA). Consistent with the National Cybersecurity Strategy’s goal of rebalancing the risks of insecure software, "Software Understanding" seeks to understand software’s potential behavior before the software is placed into use. 

Software Understanding compliments CISA’s Secure by Design initiative by enhancing software analysis. Software that is secure by design is designed for analysis – that is, designed to support independent efforts to scrutinize software artifacts to verify and validate the software before it is placed into use.  When your mission is national security or critical infrastructure, you need to do more than just trust; you need the ability to subject executable software to additional scrutiny before it is deployed. Together, Software Understanding and Secure by Design promise to give technology customers and end users additional tools to be able to demand better cybersecurity from their software developers.

Last year, CISA, the National Security Agency (NSA), and the National Nuclear Security Administration (NNSA) convened a government-wide workshop on Software Understanding for National Security (SUNS) hosted by the DHS Science and Technology (S&T) Directorate. The purpose of the workshop was to explore the potential development of additional automated tools that would enable integrators and users of software to gain understanding without needing to rely so heavily on manual analysis, such as reverse engineering. A post-meeting report, which also contains findings and information on agency participation, summarizes the individual views of subject matter experts regarding:   

  • The need and challenge of analyzing software artifacts and their potential behaviors, 
  • Impediments and catalysts to a future state for automated software analysis, and
  • Establishing a government-wide community of software understanding researchers.  

Software Understanding is a difficult problem, but as workshop participants highlighted, much can likely be accomplished with comprehensive approaches to addressing the problem. CISA is committed to shepherding the development of Software Understanding and plans to lead another SUNS workshop this spring. 

For more on this effort, visit SUNS webpage.