Charles River Analytics won a Small Business Innovation Research (SBIR) Phase I contract from the Department of Defense (DoD) to develop a tool to automate the software compliance evaluation process and aid quality assurance professionals.

The contract began in December 2021 and work was completed in June 2022.

The Missile Defense Agency (MDA) mission utilizes software to defend friends and allies from threat missile attacks. To ensure that software works as it should and that designs are as secure as possible, the agency publishes an extensive set of guidelines—the MDA Assurance Provisions (MAP)—for developers to follow.

The process of ensuring that software meets MAP guidelines can be complex. To overcome these challenges, Charles River developed a Software Lifecycle Integrated Compliance Keeper (SLICK), which integrates with the software development environment, automatically verifying whether source code is MAP compliant.

The goal, explains Kenny Lu, Scientist at Charles River Analytics and Principal Investigator of SLICK, was to create a tool with three components:

• A rules definition framework that includes machine-readable MAP compliance rules 
• A compliance monitor that ensures these rules are followed
• A context-aware compliance recommender that makes recommendations for corrections with minimum workflow disruption

SLICK made the compliance rules machine readable and developed a plug-in tool for Eclipse, a Java development platform, for real-time monitoring of MAP compliance.

“By reducing some of the tedious work related to manual code inspection, SLICK reduces time spent on software quality assurance and reduces errors. At the same time, it keeps quality assurance engineers in the loop,” Lu says. “We’re not replacing the developmental operations engineer or code reviewers but making them more productive and empowering them with this tool,” he says.

SLICK is well suited to the blistering pace of today’s agile software development cycles, Lu says. “By shifting code-reviewing to the left and also semi-automating the process, it maintains the spirit of agile development in that you can push out features as quickly and with as good quality as possible,” Lu says.

SLICK stands apart from its competitors by including a human cognitive model in its recommender engine. Instead of highlighting every single compliance violation, which can frustrate developers and interrupt their process, SLICK takes developer behavior into consideration. It highlights only those errors that are missed within the context of the current workflow. “Over time, developers who fix the same noncompliance errors over and over again might also learn to make fewer of those mistakes,” Lu says.

Commercialization possibilities extend to verticals like cybersecurity and to turning SLICK into a general-purpose plug-in for additional integrated development environments (IDEs) like PyCharm (for Python programming) and Visual Studio.

Lu says that the move toward expanding program analysis capabilities has been gaining increasing traction at Charles River. “Better tools for building better software are going to be critical,” Lu says. “They will be essential for building better artificial intelligence and machine learning tools in the future.”

Contact us to learn more about SLICK and our capabilities in cybersecurity.

This material is based upon work supported by the Missile Defense Agency under Contract No. HQ0860-22-C-7005. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Missile Defense Agency.