Elements: An Infrastructure for Software Quality and Security Issues Detection and Correction

Research into more effective software development has the potential to make the infrastructure on which so many aspects of society depend less costly and more secure in the scientific community, industry and government agencies. In particular, the scientific community is proposing millions of scientific software prototypes to enable reproducibility of research results in almost every domain.

Scientists may frequently introduce security and quality issues into existing scientific software via their code changes due to their limited experience in software quality and security and the lack of tools for quality and security assessments that can be easily used and integrated in programming environments. Thus, several existing scientific software projects are difficult to 1) extend by scientists due to their poor quality and 2) deploy by industry due to the likelihood of security vulnerabilities and the bad development practices used.

Without a unified and easy-to-integrate framework for detecting, fixing, and documenting vulnerability and quality issues in scientific projects, the reusability, extendibility, safe deployment, and technology transfer of scientific projects will remain limited. This project builds a sustainable, community-driven software security and quality analysis framework.

These tools enable more scientists to build better software and to transfer their prototypes to industry by following the best software development practices. Its integrated education plan will bring undergraduate and graduate computer science students more awareness and expertise in the evolution of software systems, including security and quality issues.

This project develops a framework for detecting, fixing, and documenting security and quality issues. It will continuously monitor the software repository to identify security vulnerabilities and quality issues based on static and dynamic analyses, and then find the best sequence of code changes to prioritize and fix them. The developers can review the recommendations and their impacts in a detailed report and select the code changes that they want to apply.

The framework includes a visualization support of the quality and security changes over the evolution of the project. Furthermore, non-expert programmers from the scientific community can use the automatically generated documentation by the framework to understand the severity of the detected issues and necessary code changes to fix them. The project has the potential to revolutionize how developers monitor the evolution of their systems in continuous integration environments by unifying security and quality issues detection and correction and enabling their automated documentation.

All tools and methodologies will be empirically evaluated in collaboration with scientists from various domains. These tools will enable more scientists to build better software and transfer their prototypes to industry by following best development practices.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.