Balancing Innovation & Security in the Software Supply Chain
We are working closely with leading artificial intelligence (AI) academics at the University of California, Riverside, to research and develop a novel AI-based model that quantitatively assesses and scores software code risk.
AMERICA’S SOFTWARE STATE-OF-PLAY
From power grids and advanced weapons systems to the telework-enabling apps connecting us during COVID-19, software sits at the heart of nearly all that keeps our globalized economy running. But in the words of a 2020 Atlantic Council report, “society has a software problem.” As more and more products and services rely on the use of unvetted third party code and open source software (OSS) libraries, cyber risks and opportunities for exploitation have surged.
In early 2020, for example, a multinational technology vendor serving the US, UK, and Australian defense sectors installed a legitimate tax software with a nasty surprise: sophisticated malware that handed over access to the company’s network. Examples like these are becoming more frequent, and the potential impact more devastating.
Cyberattacks targeting open source projects have SURGED 430%
year-over-year, according to a 2020 report
Applications have an average of 38 KNOWN
Today, validating source code costs HUNDREDS OF THOUSANDS OF DOLLARS
BUILDING ON POSITIVE MOMENTUM
From the 2020 Cyberspace Solarium Commission report to the National Telecommunications and Information Administration’s ongoing efforts to build a Software Bill of Materials, America is making headway when it comes to balancing cybersecurity and innovation in today’s globalized economy. Yet more work and collaboration amongst public and private stakeholders is required to shore up software supply chain security.
Today, hiring developers or outside firms to manually validate product source code can cost companies hundreds of thousands of dollars per review. Companies with exciting software ideas and solutions are being pushed out of the market simply because they cannot afford such expensive vetting requirements. All of America suffers when that happens: government, individuals, and the economy.
A NOVEL AI-BASED MODEL FOR SOURCE CODE ANALYSIS
Both the private and public sectors need a more affordable way to score software risk that relies on repeatable, objective processes and quantifiable results. Acronis SCS’ AI-based model is designed to do just that.
Our model, which consists of a deep learning neural network, scans through source code (both open source and proprietary) to provide impartial quantitative risk scores that help IT administrators accurately determine whether and how to deploy new software packages, as well as update existing ones.
The first round of analysis, which focused on the Android Bluetooth module known as “Fluoride,” resulted in a 41% “lift” or improvement at detecting CVEs over random testing. More details on these promising initial results are available in “Combinatorial Code Classification & Vulnerability,” published in IEEE’s 2020 Second International Conference on TransAI. Ongoing rounds of analysis based on much larger datasets are producing equally promising results.
Our model demonstrates 41% IMPROVEMENT
at detecting CVEs
Balancing INNOVATION & SECURITY
A VALUE ADD FOR ALL
Once research is complete, we hope to share this model with others to help all organizations better identify and remediate risks within their software code, and in so doing, help the US government hold industry accountable against a set of consistent, objective standards. Our AI-based approach ensures software vendors – and the federal contractors and government agencies relying on their products – can take the uncertainty out of software supply chain validation, while spurring cutting-edge innovation and small business opportunity.
We welcome collaboration on data and threat analysis and are seeking partners similarly committed to securing the software supply chain. Click the button to the left to connect with our Senior Director of Research and mathematician Dr. Jospeh R. Barr on potential collaboration opportunities.
MEET OUR RESEARCH TEAM
Dr. Joseph “Joe” Barr – As the Senior Director of Research at Acronis SCS, Joe is responsible for developing methodologies and tools to analyze source code and identify and provide early warnings of code vulnerabilities. Prior to joining Acronis SCS, Joe served as Chief Analytics Officer at HomeUnion, Chief Data Scientist at ID Analytics (now part of Lexis-Nexis), and taught mathematics at California Lutheran University. His research interests include applications of machine learning to cybersecurity, natural language processing, and source code analysis. He publishes extensively in the area of machine learning and combinatorics, and holds a bachelor’s degree from Haifa University, master’s from Florida State University, and doctorate from the University of New Mexico, all in mathematics.
Tyler Thatcher – As a Machine Learning Engineer at Acronis SCS, Tyler researches innovative ways to leverage machine learning in the cybersecurity domain. Examples of Tyler’s prior research experience include modeling spectral data for the Mars rover at USGS Astrogeology and prototyping smart systems at Northern Arizona University’s School of Informatics, Computing & Cyber Systems. Tyler holds a bachelor’s degree in computer science from Northern Arizona University and is currently pursuing his master’s degree in the same.
Interested in COLLABORATING on this innovative research? We want to hear from you.