Application Software Assurance Center of Excellence Relies on Professionalized Teams to Train Air Force Programmers in Securing the SDLC
Application Software Assurance Center of Excellence Relies on Professionalized Teams to Train Air Force Programmers in Securing the SDLC Introduction Air Force computer system programmers and application developers are extremely effective at writing code for new software applications that support the larger mission, but until recently, most had never been trained in integrating and building any kind of security into the software development life cycle (SDLC). That s where the Air Force s Application Software Assurance Center of Excellence (ASACoE) comes in. This small organization was first established in 2005 after a hacker exploited a weakness in the background code of a major Air Force personnel system and compromised more than 30,000 personnel records. Today, it is tasked with training Air Force programmers on how to recognize the vulnerabilities and threats that can be designed into software design or inserted at any point in the lifecycle whether accidentally or intentionally and providing the tools and techniques that will help programmers identify, prioritize and mitigate those threats. To date, ASACoE personnel have trained nearly 1,700 programmers in software threats, risk mitigation, proper coding techniques and automated tool usage and assessed more than 900 applications and 150 million lines of code at nearly 250 Air Force program development offices across the country. The organization has five traveling vulnerability analysis teams, all of whom are encouraged to obtain a professional certification in software development lifecycle security, though the organization does not endorse any one commercial credential over another. Currently, nearly all team members have taken a refresher course in the Certified Secure Software Lifecycle Professional (CSSLP ) credential from (ISC) 2 and plan to take the exam necessary to obtain professional certification. Master Sgt. William P. Tooke, superintendent of ASACoE, who already holds the CSSLP credential, says that although ASACoE personnel are recognized as subject matter experts in application security, having a professional certification gives them an extra aura of knowledgeable authority as they begin working with new customers. Our team leads are all non-commissioned officers (NCOs) in the Air Force, which in the big picture, means that they re low ranking, explains Master Sgt. Tooke. So when they travel out for an assessment and they re telling someone that their baby is ugly, so to speak, that their systems are insecure, they are sometimes sitting across the table from a colonel or a GS14 or GS15. Having that certification gives us a little more credibility and gives them a little bit of added trust that we really do know what we re talking about. 1
Addressing New Realities Application vulnerabilities are now considered the No. 1 threat among information security professionals, according to the 2011 Global Workforce Study, a Frost & Sullivan market survey sponsored by (ISC) 2. And information security experts have estimated that 90 percent of all reported security incidents result from exploits against defects in the design or code of software. Of course, there have always been threats by people who want to infiltrate DoD systems or do harm to the United States, and vulnerabilities are inherent in software. Software is developed by human beings and so it s going to have bugs, especially if you re using untrained people or those without a lot of experience, says Capt. Nicolas A. Aquino, chief technology officer (CTO) for ASACoE. With the advent of cloud computing, mobile devices and other advancements, however, there has been a spike in the number of vulnerabilities because the software is being developed at such a rapid pace, with a lot of competition just to field the latest and greatest. At the same time, attackers are getting much more savvy. Despite these realities, ASACoE personnel have to spend much of their time raising awareness within the Air Force and the larger Department of Defense about the need to apply secure software practices during the application development process. Whereas traditional information assurance focuses on building perimeter defenses around data and systems housing data, the focus of software assurance is on integrating and building security into applications, explains Capt. Aquino. This means changing how security is viewed currently, which is as an after thought, to the ideal in which it s an integral part of the entire system s security from Day One. The organization s five traveling vulnerability assessment teams provide a standard training process when they meet with a program development office. During the first week at a customer site, they offer a crash course in software assurance to make sure that developers and program managers know, first and foremost, the reality of the threats that exist in software and how to mitigate those vulnerabilities, says Master Sgt. Tooke. During the second week of training, the ASACoE team helps assess Air Force systems for insecurities. These can include legacy and commercial-off-the-shelf applications and those still under development. They then train programmers and developers on how to use a suite of automated tools that ASACoE provides. Having the tools really helps make the process go quicker and narrows down their search, Capt. Aquino explains. Because in trying to go through a million lines of code manually, you may not notice a single character being off but the reality is that one character being off could pose a great, great threat to the overall system. Once personnel are utilizing the tools and other best practices provided to them, the ASACoE team continues to support the unit over another twoweek period. During that timeframe, they ll complete the triage assessment report, augment remediation efforts when feasible, conduct follow-up reviews 2
and continue to help fine-tune programmer and developer understanding of ASACoE processes, tools and best practices. ASACoE also acts as a central repository of information on software assurance threats, trends and successful mitigations. We don t just leave and wish them good luck, says Capt. Aquino. We give them a list of suggestions to help them continue to move forward; we recommend that they get together with all of their stakeholders and we ll usually recommend changes to their SDLC. ASACoE s ultimate goal in their training is to convince program offices to fully integrate software assurance into their SDLC. The Project Management Officers that have been the most successful have embraced the entire process that we ve helped them establish, or they ve established their own based on our model, says Master Sgt. Tooke. But we ve also had the unsuccessful stories where the PMOs just wanted us to be a cure-all, to be there as a box to check, but not necessarily to embrace what we ve equipped them and trained them to do. People Skills Although tools and process are critical to bolstering security throughout the entire application lifecycle, the most critical resource in effectively securing applications is the workforce itself, according to Master Sgt. Tooke. People are vitally important to the entire process, he states. You need people to design the architecture and the initial code, and from a triaging and vulnerability standpoint, you need to have people backing that up as well. The automated tools may find vulnerabilities, but they can turn out to be false positives or false negatives, so you need someone with the knowledge and the judgment to recognize the difference. Well-trained programmers are also able to whittle down the massive amount of information that automated tools collect and turn it into something that is manageable. An automated tool can help you catch the vulnerabilities or coding errors, but you still need someone to decide, Hey, these vulnerabilities have a higher likelihood of exploitation but these other ones are not as likely to be exploited and then prioritize accordingly. For this reason, ASACoE personnel encourage programmers and developers at customer sites to continue advancing their knowledge level. We think it s really important for them to pursue the type of security training that programmers in the Air Force don t get right now, whether that involves going for a professional certification, enrolling in a commercial course or simply engaging in self-study, says Capt. Aquino. Any kind of supplemental training would be of benefit to them. And in fact, ASACoE is working with a functional manager within Air Force Human Resources to try to incorporate and mandate software assurance training at every level of the Computer Systems Programmer career field, from apprentice to seniorlevel manager. Aquino says this is especially critical in light of the fact that there is an internal push to rely even more 3
heavily on blue suit Air Force programmers in developing new applications. We re the ones with the security clearances and so we re a little bit more trusted than going out and hiring someone from outside the organization to come in and code a new system for us, he explains. Bottom-line Benefits When well-trained, knowledgeable personnel apply information security best practices to application development from start to finish, the benefits are numerous. Among these are clear cost savings, according to Aquino. If a software programmer is able to discover and fix a routine security vulnerability during the code design process, the cost is roughly $25 per vulnerability. By contrast, if that same vulnerability is not discovered until after the system is actually fielded, the cost jumps to $16,000. And then there s the case of a major Air Force weapons system that was able to avoid an estimated $500 million in rework and recycle costs because an ASACoE team helped catch a large number of hacker-prone vulnerabilities before the release and support phase. Other benefits include better budgeting and forecasting for stakeholders, an easier certification and accreditation process for legacy systems, protection of the Air Force brand and an increase in the overall performance, reliability and code quality of application software. It s really about inherently making your code and your systems more and more secure, which makes it harder for the attackers to do any damage and greatly enhances national security, says Master Sgt. Tooke. Our most important achievements have been helping our customers produce more secure, higher-quality software. In light of these benefits, ASACoE s work is getting attention and requests for help from other organizations that want to incorporate software security into their application development processes. We have worked with our sister services, DoD and other Federal agencies to build comprehensive knowledge and processes across the DoD, says Master Sgt. Tooke. Our processes have been utilized as a model for the other services and agencies to follow. And its work to increase awareness and knowledge among military programmers will continue. ASACoE will ultimately become a charter member of the still-being-developed DoD Software Assurance Community of Practice, which will be responsible for crafting software assurance governance and guidance for the entire DoD. Ultimately, we say that we want to work ourselves out of a job, says Aquino. When we do, that will mean that the Air Force no longer needs ASACoE because its development offices, both government and commercial, are effectively creating and delivering secure software by following a risk-based approach to addressing threats and vulnerabilities, says Aquino. This will take some time, but it should not be an unreasonable goal. 4
www.isc2.org