DARPA to release research on security ratings for software in 2016

December 23, 2015

The Defense Advanced  Research Projects Agency has decided the results of its nascent effort to rate the security of software and systems for consumers and insurance professionals will likely be released by next fall, according to an agency spokesman.

Prominent security researcher Peiter Zatko's Cyber Independent Testing Laboratory in Waltham MA, won a $499,935 contract in September for the “Consumer Security Reports” effort, which is being funded by DARPA. At the time, the agency said the schedule for producing deliverables under the contract had not yet been decided.

But officials have since determined that the study is expected to be completed in the fourth quarter of fiscal year 2016, DARPA spokesman Jared Adams told Inside Cybersecurity.

“Most likely, the content will be made available for unlimited public release and posted on DARPA's Open Catalog portal probably within a week or two of final receipt,” Adams said.

Buyers of software and systems badly need a way to discern which products have relatively better cybersecurity, according to Zatko.

“There have been enough stories in the news that your average consumer (corporation or individual) knows that they need better security,” he told Inside Cybersecurity earlier this year. “They know security is important, and that they don't have it, but they don't have any idea on how to get it, which is frustrating and upsetting. They want to make better, more informed decisions, but don't have the tools to do so."

The project “potentially could be a very important part of this notion of the emergence of a robust economic model for cybersecurity and insurance and the other products that might go with that,” DARPA Director Arati Prabhakar said this fall.

Zatko, a.k.a. Mudge, came to fame – and testified before Congress in 1998 – as a member of the high-profile hacker group the L0pht. He later spearheaded cybersecurity research at DARPA. Zatko joined Google in 2013, but left the company this year to stand up the Cyber Independent Testing Laboratory.

Software marketed to improve the security of systems could be a significant source of risks, Zatko noted in a recent interview published by the Council on Foreign Relations. 

“In fact, some of the most insecure software on the market can be the very security software that is supposed to protect you,” he said. “Some adversaries have processes and procedures to determine which software is easiest to exploit. Our organization tries to quantify the resilience of software against future exploitation. -- Christopher J. Castelli (ccastelli@iwpnews.com)