A Northport technology company has won a Defense Department contract worth as much as $1.2 million to study factors that could give rise to security holes in software.
Secure Decisions, a division of Applied Visions Inc., announced this week that it was selected by the Defense Advanced Research Projects Agency to research how developers’ work conditions — such as team size, tight deadlines and late hours — may contribute to making software vulnerable to hackers.
The Small Business Innovation Research contract is worth $175,000 during the first six months, $50,000 if approved for the following three months and $1 million for an additional two years if the company wins a contract for Phase 2 research.
Anita D’Amico, director of Secure Decisions and principal investigator on the project, said the research could be used by developers of any major software project to zero in on parts of the code most likely to contain vulnerabilities.
“There’s so much code, they don’t know where to look first,” she said. “Findings from the study will cue them where to look.”
The research also could offer guidance to software companies on designing the work environment, such as optimal team size and the best hours to schedule employees.
“People perform better at certain times of the day because of their circadian rhythms,” D’Amico said. “Work that’s performed after 11 o’clock at night is hampered because your biological clock is not primed.”
In the software community, D’Amico said, coders often contend that tight deadlines can lead to insecure products. “Do you want it to be secure or do you want it delivered on time?” she said of a typical warning.
Software security holes offer a path for attacks by hackers. Forty percent of data breaches occur when hackers attack a web application whose vulnerabilities were baked in during development, according to the 2016 Verizon Data Breach report.
In the initial stage, D’Amico’s researchers will analyze parts of the code written for the Chromium web browser, the open-source project that provides the foundation for Google Chrome.
Chromium’s software was written by volunteers and its software repository includes publicly disclosed vulnerabilities that were later patched.
The researchers will consider when and how vulnerabilities were introduced.
Another complaint of software writers is that frequent interruptions lead to errors. D’Amico said in a later phase, her researchers will study developers as they develop code to consider interruptions, their social networks, team dynamics and other issues that can’t be gleaned by looking at the data trail of the Chromium code.
D’Amico said three Secure Decisions employees will work on the project along with a professor and two students at the Rochester Institute of Technology.
DARPA is an agency of the Defense Department that has been funding emerging technologies since the Eisenhower administration. It has played a role in developing the modern internet, global-positioning satellites and missile-defense systems.
Applied Visions, with 65 employees, develops custom software applications for businesses.
D’Amico earned a doctorate in experimental psychology from Adelphi University in the 1980s and since then has been studying factors that affect human performance. At Grumman Corp. and its successor, Northrop Grumman Corp., she worked on the displays and controls for the remote manipulator arms on the International Space Station. She also headed Northrop Grumman’s first information warfare product team in Bethpage.
She said the DARPA project melds her experience in the software business with her background in psychology.
“I’ve been wanting to do something like this for two or three years to use my background in psychology,” she said.