Case Study: How Mayhem Revolutionized U.S. Department of Defense Weapon Systems Security

The U.S. Department of Defense (DoD) is responsible for billions of dollars in safety-critical equipment and missions. A single flaw in a system not only costs money, but puts missions and lives at risk.

The DoD has recently moved to embrace cyber as a new domain of warfare, and with that came the requirement to check weapon systems’ applications dynamically. A comprehensive software security solution was needed for some of the most critical systems across multiple branches of the DoD.

In this blog post, learn how the DoD hand-picked Mayhem as the best solution to autonomously test their critical weapon systems applications for vulnerabilities, formulate patches, and deploy them in real time on network.

‍

The DoD’s Software Security Challenges 

In 2018, the U.S. Government Accountability Office (GOA) reported that there were mounting challenges in protecting DoD weapon systems from increasingly sophisticated attacks: “This state is due to the computerized nature of weapon systems, the DoD’s late start in prioritizing weapon systems cybersecurity, and DoD’s nascent understanding of how to develop more secure weapon systems. DoD weapon systems are more software dependent and more networked than ever before.”

As the DoD recognized cyber warfare as a new domain, they recognized the need for additional software security testing that would provide results quickly. 

They faced several challenges, including:

1. They struggled to find an automatic defense system capable of identifying vulnerabilities, formulating patches, and deploying them in real time on a network. 
2. Their delayed prioritization of weapon system security had created a critical need to find an autonomous software security solution with an accelerated time-to-value to address emerging weapon system security issues within select critical missions.
3. DoD organizations buy separately and have different missions. They needed a solution that would work between multiple organizations and missions. 

To address these challenges, the DoD sought to develop a DevSecOps approach across organizations. They needed to find a tool that would satisfy DevSecOps requirements, provide value quickly, and that was truly automated,  meaning it could identify vulnerabilities, formulate, and deploy patches on the network in real time.

‍

Finding a Solution

The demand for automated, scalable, and rapid vulnerability detection and patching is not isolated to the DoD. There is a rapidly increasing number of IoT systems, ranging from household appliances to critical military platforms, that have a need for automated security testing. Up until recently, the process of identifying and addressing bugs, security breaches, and other cyber threats remained manual.

In 2016, DARPA initiated the Cyber Grand Challenge (CGC) to address the need for automated defense systems. The CGC aimed to speed the development of automatic defense systems with the ability to detect flaws, create patches, and implement them on a network in real-time.

Among the competitors was ForAllSecure’s computer reasoning system, Mayhem, which took first place amongst 110 teams that were competing. 

Mayhem’s performance in the DARPA Cyber Grand Challenge showed fully autonomous security was possible. Mayhem “tests like a hacker” to find exploits. Mayhem is faster, more accurate, and less expensive than manual approaches and is truly automated, because it is not necessary for humans to double check the results.

The key components that formulated Mayhem’s winning approach included:

• Discovery/Vulnerability Identification: Mayhem automatically found new vulnerabilities in commercial-off-the-shelf (COTS) software, even without developer participation.
• Patching: Mayhem automatically hardens programs.
• Strategy: The goal of cyber is to beat the attacker while still meeting mission and business objectives. Mayhem delivers by focusing on usability and integration into the development pipeline. 

‍

Introducing Mayhem to The DoD

The 2017 Senate Appropriations Committee Department of Defense Appropriations Bill suggested that the DoD explore “automated exploit generation and vulnerability identification… such as those exemplified in the Cyber Grand Challenge.”

The Defense Innovation Unit (DIU), an organization within the DoD focused on accelerating the adoption of commercial technology at speed and scale, launched “Project Voltron” to find out if commercial “cyber reasoning” could be used to find and remediate previously unknown vulnerabilities in DoD weapon systems. 

In 2020, after the DIU recognized Mayhem by ForAllSecure as a potential solution to the weapons system security problem, ForAllSecure was awarded a contract of up to $45 million with the Defense Innovation Unit (DIU) for Project Voltron. 

The partnership between Mayhem and the DoD was leveraged to design Mayhem after the DoD’s needs, allowing Mayhem to be rapidly and meaningfully iterated and improved upon using direct feedback from critical users, leading to a much accelerated time to value. 

The Result

The DoD has expanded Mayhem’s software solution into some of their most critical systems. Over a dozen DoD organizations leverage Mayhem for their operational cyber programs and to help them meet MDA and NIST guidelines. Mayhem has helped the DoD achieve its mission to test critical software, including weapon systems, both with and without developer participation. 

‍

Mayhem Beyond Federal

With its ability to automatically find exploitable bugs before attackers can, Mayhem is what modern application security looks like. 

Since being contracted by the federal government, Mayhem has found other markets where software can make or break the mission, such as in aerospace, automotive, and core internet infrastructure.

‍

{code-cta}

‍