The Cybersecurity Infrastructure and Security Agency (CISA) and Sandia National Laboratories are warning that public and private sector collaborators must work to close the “software understanding” gap to better secure the nation’s systems and infrastructure.
In a new report out on Aug. 20, CISA and Sandia said that the software understanding gap – described as “the practice of constructing and assessing software-controlled systems to verify their functionality, safety, and security across all conditions” – exists because “our ability to build software greatly outstrips our ability to understand it.”
The federal organizations warned that the current understanding gap “is not just growing, it is growing at an accelerating rate.”
“This is not a future challenge; it is the reality today. Closing this gap requires an ecosystem of analysis components, libraries, frameworks, and tools that mirror the ecosystem driving software production, designed for rigorous, reliable, rapid, and repeatable software understanding,” CISA and Sandia said, adding the “software understanding ecosystem does not exist today and no activity is on track to create it.”
That gap also puts the nation at greater risk of vulnerabilities, the report said, stating that “the government and society trust much software that they shouldn’t,” and that trust is “unwarranted.”
Recent executive orders from the White House and national strategies are pushing to strengthen software accountability, resilience and security, with directives ranging from adopting zero-trust architectures to improving oversight of cloud providers. Most recently, the Pentagon has begun reassessing its software acquisition process, acknowledging it lags industry in shifting from hardware-centric to software-first approaches.
Despite these efforts, CISA and Sandia said the “ideal state” is one where mission owners and producers alike can rigorously, reliably, rapidly, and repeatably analyze software to detect vulnerabilities, mitigate risks, and build trust.
While perfection is impossible, they noted, advances in automation and independent executable analysis could transform defense and civilian missions, reduce reliance on scarce reverse engineers, cut costs and bolster public confidence in third-party and consumer software alike.
Current protections and software approaches are “radically different” from that ideal, the organizations said, explaining that reliance on current testing procedures, digital signatures, malware signatures, dynamic software monitoring, reverse engineering, software bill of materials, and other methods “are often weak and leave a significant understanding gap.”
“To make properly informed decisions about risk mitigation or acceptance, mission owners need to know what inherent risks arise from potential behavior of a particular software product,” stated CISA and Sandia. “Failing to adequately characterize the inherent risk means that mitigations cannot be adequately applied, and the residual system risk cannot be properly assessed.”
“A lack of adequate software understanding means that risk assessors cannot effectively implement the first step in the process, rendering the rest of the risk assessment process fundamentally flawed,” they continued.
To achieve a better software understanding, CISA and Sandia called on software analysis experts and leaders to engage with the federal government to help shape research priorities and “maintain a sustained focus on addressing this critical challenge.”