1. Open Security Technology Tech@State Washington, DC February 11, 2011 Dept. of Homeland Security Science & Technology Directorate Luke Berndt Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) luke.berndt@dhs.gov 202-254-5332

2. US Govt Spends $38 Billion on IT Annually Trend is Not Sustainable Bureaucracy (easy to blame) Complexity of Govt Enterprise Systems Redundancy – Re-Invent the Wheel Existing System of Acquisition, Management, Updating, Technical Obsolescence Significant Hurdle Cybersecurity = Protection of Infrastructure and Data 2 Need: Sustainable Government IT Systems 11 February 2011

3. Homeland Open Security Technology (HOST) Focus: Gov contribution to and adoption of Open Source solutions that support cyber security Make it easier for government (local, state, & federal) to take advantage of innovation in the OS space Encourage the contribution of Gov funded research to OS community by improving processes Investigate what OS is being used in Gov, acq best processes, & where gaps exist (user groups & census) Seed development of OS solutions to fill key gaps Phase 2 - $10m over 5 years 11 February 20113

4. HOST: Initial work OS Intrusion Detection DHS seeded development Create common, OS engine for R&D, and commercial products Maintained by non-profit Supported by companies 11 February 20114 OpenSSL libraries widely used in OS software Feds need Crypto, FIPS validated for acquisitions Each version needs to be re- validated DHS contributed to maintaining the FIPS validation

5. 16 December 20105 Give open source community access to entire toolset  Open-source developers register their project. Coverity automatically downloads and runs tool over it.  Developers get back bugs in coverity’s bug database Big success:  Roughly 500 projects registered  4,700+ defects actually patched.  Some really crucial bugs found; dozens of security patches (e.g., X, ethereal) Coverity: scan.coverity.com

6. Software Assurance MarketPlace (SWAMP) BAA Topic 14: https://baa2.st.dhs.govhttps://baa2.st.dhs.gov Focuses on the research infrastructure necessary to enable software quality assurance and related activities A software assurance facility and the associated research infrastructure services that will be made available to both software analysis researchers and software developers, both open source and proprietary DHS expects the SWAMP to become a national level R&D resource in software assurance for open security technologies, used across civilian agencies and their communities as both a research platform and core component supporting US Government supported software development activities 11 February 20116

7. SWAMP Conceptual Architecture 11 February 20117 Software Assurance MarketPlace (SWAMP) Software Analysis Tools – Open Source and potentially commercial Open Source Software (for starters) and potentially all government funded software Other Resources (e.g., High Performance Computing Clusters)