Abstract:As our lives, our businesses, and indeed our world economy become increasingly reliant on the secure operation of many interconnected software systems, the software engineering research community is faced with unprecedented research challenges, but also with exciting new opportunities. In this roadmap paper, we outline our vision of Software Security Analysis for the software systems of the future. Given the recent advances in generative AI, we need new methods to evaluate and maximize the security of code co-written by machines. As our software systems become increasingly heterogeneous, we need practical approaches that work even if some functions are automatically generated, e.g., by deep neural networks. As software systems depend evermore on the software supply chain, we need tools that scale to an entire ecosystem. What kind of vulnerabilities exist in future systems and how do we detect them? When all the shallow bugs are found, how do we discover vulnerabilities hidden deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless protect our system? To answer these questions, we start our research roadmap with a survey of recent advances in software security, then discuss open challenges and opportunities, and conclude with a long-term perspective for the field.

What problem does this paper attempt to address?

The main problem that this paper attempts to solve is how to ensure the security of software systems in the future when they are becoming increasingly complex and relying on automated tools (such as generative AI). Specifically, the paper focuses on the following key issues: 1. **Security assessment of auto - generated code**: - With the development of generative AI, more and more code is generated by machines. This brings new challenges: how to assess and maximize the security of machine - generated code? - Formula representation: Suppose the machine - generated code is \( C_{\text{ML}} \), we need to develop methods to assess its security, that is: \[ S(C_{\text{ML}})=f(C_{\text{ML}}) \] where \( S \) represents the security scoring function and \( f \) is a complex assessment function. 2. **Security analysis of heterogeneous systems**: - Modern software systems are becoming more and more diverse and may contain different programming languages, type safety, and machine - learning models, etc. How to conduct effective security analysis in such a heterogeneous environment? - Formula representation: For a system \( S=\{C_1,C_2,\cdots,C_n\} \) composed of multiple components, where each component \( C_i \) may have different characteristics (such as memory safety, type safety, etc.), we need to find a comprehensive assessment method: \[ S(S) = g(C_1,C_2,\cdots,C_n) \] where \( g \) is a comprehensive assessment function. 3. **Security of the software supply chain**: - Software systems are increasingly relying on third - party components and libraries. How to ensure the security of the entire supply chain? Especially when some components may come from untrusted sources or contain known vulnerabilities. - Formula representation: Suppose a software system \( S \) depends on multiple third - party components \( T = \{T_1,T_2,\cdots,T_m\} \), we need to assess the security of each component and consider them comprehensively: \[ S(S)=h(T_1,T_2,\cdots,T_m) \] where \( h \) is a supply - chain security assessment function. 4. **Deep - level vulnerability detection**: - When shallow vulnerabilities are discovered, how to discover the vulnerabilities hidden deep in the system? Especially when the system is becoming more and more complex. - Formula representation: Suppose the vulnerability distribution in the system is \( V=\{V_1,V_2,\cdots,V_k\} \), we need to develop methods to detect deep - level vulnerabilities \( V_d \): \[ D(V_d)=i(V) \] where \( D \) is the deep - level vulnerability detection function and \( i \) is a complex detection algorithm. 5. **Protect the system from unknown threats**: - Suppose we cannot find all security vulnerabilities, how to protect the system from potential threats? - Formula representation: Suppose the protection measures of the system are \( P \), we need to develop strategies to maximize the security of the system: \[ P(S)=j(S) \] where \( j \) is a protection strategy function. In summary, this paper aims to provide a research roadmap for future software security analysis, focusing on solving new challenges brought by generative AI, the security of heterogeneous systems, the security of the software supply chain, deep - level vulnerability detection, and system protection strategies, etc.

Software Security Analysis in 2030 and Beyond: A Research Roadmap

Programmable System Security in a Software Defined World–Research Challenges and Opportunities

Position: How Regulation Will Change Software Security Research

Saltzer & Schroeder for 2030: Security engineering principles in a world of AI

Software Security during Modern Code Review: The Developer's Perspective

A Survey of Automatic Software Vulnerability Detection, Program Repair, and Defect Prediction Techniques

A Secure Future for Open-Source Computational Science and Engineering

Automated Software Testing Starting from Static Analysis: Current State of the Art

Toward a Research Software Security Maturity Model

Secure Software Development: Issues and Challenges

Software and Cyber Security-A Survey

Fundamental Challenges in Cybersecurity and a Philosophy of Vulnerability-Guided Hardening

Data-Driven Software Security: Models and Methods

Towards a More Systematic Approach to Secure Systems Design and Analysis

Understanding Software Security from Design to Deployment

Future Scenarios and Challenges for Security and Privacy

A comprehensive analysis on software vulnerability detection datasets: trends, challenges, and road ahead

Towards Automated Continuous Security Compliance

Formal security analysis for software architecture design: An expressive framework to emerging architectural styles

A Research Ecosystem for Secure Computing

Security for Machine Learning-based Software Systems: a survey of threats, practices and challenges