Software Engineering Institute

Increasingly, software systems are composed at runtime. Yet, the impact of runtime composition on design quality is unknown. Static analysis, a state-of-the-practice approach, has demonstrated that dependency-caused design hotspots make security vulnerabilities more likely, but it does not detect the effect of dynamic dependencies. In this work, we are creating tooling to identify dynamic dependencies as well as other information that is not available via static, parsing-based approaches, to both determine and augment the information that is missing in static approaches. One transition opportunity for DoD is envisioned to be extensions to the open standard-based 18F project on Compliance Masonry for automate production of Authority to Operation (ATO) documentation.