Posts Tagged security

Software Assurance (SwA) is a major area of concern for our systems as the threat focuses more on the mission applications versus the infrastructure now that the Department of Defense (DoD) has hardened the networks and operating system platforms. Among other things, this means that mission applications need to be carefully verified for compliance with information assurance controls that outline the essential discipline required to survive on the modern cyber battlefield. The fact is that the developer, who may be very mature with a Capability Maturity Model Integration (CMMI) level 5, will often use open source or commercial software they did not write. They may include software from vendors with a risky pedigree, or they may have software code writers either on their staff or on the staff of their suppliers who are not really current on how to write secure code.

In order to address these issues, developers and maintainers of software need to implement processes and  independent validation routines that will “bake security in” to the software that soldiers need. This is not about just meeting information assurance or security requirements to achieve approval to operate, it is about improving the reliability, integrity, and maintainability of software. If the software fails under attack it means more than just that a security requirement was not met.

Therefore, code analysis needs to go beyond just peer review. Moreover, validation of software performance needs to go beyond “black box” functional testing. What developers really need is an independent software quality assessment regimen. This regimen will use independent and qualified software professionals that apply not only effective static code analysis tools, but plain good judgment to check the source code. These professionals provide useful metrics and “actionable recommendations” back to both developers and their managers. This allows improvements not just to the code, but to the technique used to write the applications in the first place.

Educating your programmers on the Defense Information System Agency (DISA) Security Technical Implementation Guidance (STIG) for applications and teaching them how to apply these practices, could potentially save your organization from running into problems in both deployment and in daily operations. The enemy gets to vote and this means the enemy will attack your software mission applications without mercy. They are in it to win as much as we are!

Recent events  have shown how even outstanding organizations with prestigious track records can be seriously compromised by adversaries attacking the soft underbelly of our systems.  Acquisition professionals need to ensure that contracts, service level agreements, and performance objectives clearly address software assurance so that the bar is properly set for the effective development, deployment, and maintenance of mission applications.

- Frank Mayer

Frank Mayer is the Acting Deputy Director of Software Support Services at SEC and a retired Lieutenant Colonel in the Army Reserve.