Secure by Design Portfolio Supports Software Supply Chain Risk Management

Because software underpins so much of our daily life, attacks on software-reliant systems can pose a threat to public safety and well-being. To combat this threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Secure-by-Design and Secure-by-Default initiative argues that “it is crucial for software manufacturers to make secure by design and secure by default the focal points of product design and development processes.” The SEI has long advocated building security into early phases of software system development and acquisition. The SEI’s 2024 portfolio of research and community outreach included multiple efforts to foster software security by design.

API Security

The application programming interface (API) is a fundamental component of most software applications. It makes system operations available to the user and enables engineers to build programs based on other programs without having deep knowledge of them. However, APIs invite attack because of their interconnectedness, the access they provide, their sometimes cryptic implementations, and their unexpected failures.

The SEI has been researching ways to create secure-by-design APIs by applying zero-trust principles, testing enabled by artificial intelligence (AI), DevSecOps approaches, supply chain security, and the SEI’s Software Engineering Risk Assessment (SERA) framework. To learn more, read the SEI paper On the Design, Development, and Testing of Modern APIs.

Rust Software Security

The popular Rust programming language boasts a unique security model that promises memory and concurrency safety while providing the performance of C or C++. Rust, however, has not received the same scrutiny as older languages. Recent research by the SEI examined claims and assumptions about the security of programs created with Rust and published its findings in a series of SEI Blog posts.

While Rust does provide memory safety and a degree of concurrency safety, it remains subject to a number of threats, such as supply-chain vulnerabilities. This year, the SEI examined several vulnerabilities that affected some Rust programs. One was a back door discovered in some versions of Rust crates, which are packages of Rust library code, and another was a command injection affecting programs running on Windows.

The Use of LLMs to Secure Source Code

There has been much hype about large language models (LLMs) replacing programmers. The SEI has been researching the use of LLMs in a variety of software engineering contexts, including identifying security flaws in source code.

A recent SEI study examined the benefits of using LLMs in DoD environments to automate static-analysis adjudication. Static analysis findings are often too voluminous for complete review, causing the DoD to accept unknown risk. SEI researchers developed a model of how an LLM-based tool could be used for static-analysis alert adjudication. They found LLMs hold promise for accurate static-analysis adjudication, automating code repair, and educating staff on alert adjudication.

Right Place, Right Expertise

In addition to these specific research efforts, SEI experts have provided commentary to CISA and White House Office of the National Cyber Director requests for information on secure by design practices and open source software security. To discover ways to reduce cybersecurity weaknesses earlier in the software development lifecycle, the SEI also holds an annual Secure Software by Design conference for security researchers, industry practitioners, and government officials. The SEI’s history of connecting these communities, as well as its deep expertise in software engineering, acquisition, and cybersecurity, can help foster this holistic secure development approach.