Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:NORTH CAROLINA STATE UNIVERSITY
Doing Business As Name:North Carolina State University
PD/PI:
  • Laurie Williams
  • (919) 513-4151
  • williams@csc.ncsu.edu
Co-PD(s)/co-PI(s):
  • Bradley Reaves
Award Date:06/11/2021
Estimated Total Award Amount: $ 399,708
Funds Obligated to Date: $ 399,708
  • FY 2021=$399,708
Start Date:07/01/2021
End Date:06/30/2024
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:SaTC: CORE: Small: Risk-based Secure Checked-in Credential Reduction for Software Development
Federal Award ID Number:2055554
DUNS ID:042092122
Parent DUNS ID:142363428
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Sol Greenspan
  • (703) 292-7841
  • sgreensp@nsf.gov

Awardee Location

Street:2601 Wolf Village Way
City:Raleigh
State:NC
ZIP:27695-7514
County:
Country:US
Awardee Cong. District:04

Primary Place of Performance

Organization Name:North Carolina State University
Street:
City:
State:NC
ZIP:27695-8206
County:Raleigh
Country:US
Cong. District:02

Abstract at Time of Award

Similar to human users, software relies heavily on the use of credentials, like passwords, to prove identity and rights to access resources. During software development, software engineers may need to share these software credentials, and operators who deploy the software will often need to distribute these credentials securely to servers. Engineers may take the path of least resistance which includes storing credentials -- keys, database connection strings, certificates, usernames and passwords -- in distributed version control systems used to manage software development. This type of storage makes accessing and distributing these credentials more convenient but also creates the very real hazard that they will be leaked to the public or to insider threats. This project will develop an understanding of how software engineers choose to manage credentials, and will develop techniques, tools, and datasets to better detect credential leaks and to prioritize credential removal based on the risks that disclosure of the credential would create. This project will include a mixed-methods investigation of the interplay of functional and security concerns on the software engineer's overall decision-making strategy for protecting or revealing credentials in software artifacts. This project will inform our approach to improve the ability of static analysis tools to detect more credentials with a lower false positive rate. Additionally, the project will identify the asset being protected by the credential, which will enable an automated or semi-automated risk estimation. Finally, the project will lead to the creation and evaluation of new techniques for securely storing and sharing secrets among project teams and in a system. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.