Application Software Assurance Center of Excellence Relies on Professionalized Teams to Train Air Force Programmers in Securing the SDLC

Similar documents
Practical Applications of Software Security Model Chris Nagel

Agile Development for Application Security Managers

Building Assurance Into Software Development Life- Cycle (SDLC)

Information Security and Privacy. Lynn McNulty, CISSP. Advisory Board November 2008

Information Security Risk and Compliance Series Risking Your Business

Cisco Security Optimization Service

Security in the smart grid

The 2009 State of Cybersecurity from the Federal CISO s Perspective An (ISC) 2 Report. April 2009

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

A Strategic Approach to Web Application Security

Effective Software Security Management

Business Process Validation: What it is, how to do it, and how to automate it

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

Northrop Grumman / Integrated Cyber Threat Response

Seven Practical Steps to Delivering More Secure Software. January 2011

INTRODUCTION TO PENETRATION TESTING

Finding and Applying for Teaching Jobs

Survey on Application Security Programs and Practices

Learning Course Curriculum

Information Security Services

The Value of Vulnerability Management*

The Role of Internal Audit in Risk Governance

The Emergence of Security Business Intelligence: Risk

Zero Trust Requires Effective Business-Centric Application Segmentation

Network Management and Defense Telos offers a full range of managed services for:

Addressing FISMA Assessment Requirements

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Secure Development LifeCycles (SDLC)

NOTICE: This publication is available at:

Vulnerability management lifecycle: defining vulnerability management

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

Detect, Contain and Control Cyberthreats

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Secure Software Begins in the Development Process

Some Thoughts on the Future of Cyber-security

Ten Strategies to Encourage Academic Integrity in Large Lecture Classes

The Four-Step Guide to Understanding Cyber Risk

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Building a BYOD Strategy For Education

13 Simple Facebook Best Practices To Build Your Business Facebook Page

Web Application security testing: who tests the test?

Using Metrics to Manage Your Application Security Program

Buyer Lead Conversion Plan

Information Security in Business: Issues and Solutions

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Fortify. Securing Your Entire Software Portfolio

Reducing Application Vulnerabilities by Security Engineering

ISTQB - Certified Tester Advanced Level - Test Manager

The Business Value of Meetings: Test Your Knowledge Jack J. Phillips PhD Chairman, ROI Institute, Inc.

State of Oregon. State of Oregon 1

I D C E X E C U T I V E B R I E F

The PCI Dilemma. COPYRIGHT TecForte

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Application Security in the Software Development Lifecycle

Managing Vulnerabilities For PCI Compliance

Is Penetration Testing recommended for Industrial Control Systems?

VIGILANCE INTERCEPTION PROTECTION

Rising to the Challenge

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

How To Test For Security On A Network Without Being Hacked

The Value of Automated Penetration Testing White Paper

next generation privilege identity management

Information Technology Risk Management

Enterprise Security Tactical Plan

Security Technology Vision 2016: Empowering Your Cyber Defenders to Enable Digital Trust Executive Summary

IDENTITY SOLUTIONS: Security Beyond the Perimeter

Top 10 Tips for Successful Software Development Management

DoD final rule for the detection and avoidance of counterfeit electronic parts impacts contractors operations

Guidelines 1 on Information Technology Security

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Extreme Networks Security Analytics G2 Vulnerability Manager

SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING

Increase insight. Reduce risk. Feel confident.

2012 North American Vulnerability Research Product Leadership Award

Information Technology Security Review April 16, 2012

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

90% of data breaches are caused by software vulnerabilities.

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Design as Product Strategy Bringing design thinking to product management to create products people love

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

IBM Security QRadar Vulnerability Manager

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cybersecurity: You re Doing IT Wrong

Sogeti Testing Services. Helping you to Deliver Innovation. and a Better Customer Experience

Cyber security Building confidence in your digital future

Assuring Application Security: Deploying Code that Keeps Data Safe

WHITE PAPER. Stay ahead (of data leak) with Data Classification and Data Loss Prevention

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

White Paper Security in Software Development Life Cycle

Average producers can easily increase their production in a larger office with more market share.

Remediating IT vulnerabilities: Expert tips

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

The Vital Asset for Today s Government

Vulnerability Management

Software Development: The Next Security Frontier

Transcription:

Application Software Assurance Center of Excellence Relies on Professionalized Teams to Train Air Force Programmers in Securing the SDLC

Application Software Assurance Center of Excellence Relies on Professionalized Teams to Train Air Force Programmers in Securing the SDLC Introduction Air Force computer system programmers and application developers are extremely effective at writing code for new software applications that support the larger mission, but until recently, most had never been trained in integrating and building any kind of security into the software development life cycle (SDLC). That s where the Air Force s Application Software Assurance Center of Excellence (ASACoE) comes in. This small organization was first established in 2005 after a hacker exploited a weakness in the background code of a major Air Force personnel system and compromised more than 30,000 personnel records. Today, it is tasked with training Air Force programmers on how to recognize the vulnerabilities and threats that can be designed into software design or inserted at any point in the lifecycle whether accidentally or intentionally and providing the tools and techniques that will help programmers identify, prioritize and mitigate those threats. To date, ASACoE personnel have trained nearly 1,700 programmers in software threats, risk mitigation, proper coding techniques and automated tool usage and assessed more than 900 applications and 150 million lines of code at nearly 250 Air Force program development offices across the country. The organization has five traveling vulnerability analysis teams, all of whom are encouraged to obtain a professional certification in software development lifecycle security, though the organization does not endorse any one commercial credential over another. Currently, nearly all team members have taken a refresher course in the Certified Secure Software Lifecycle Professional (CSSLP ) credential from (ISC) 2 and plan to take the exam necessary to obtain professional certification. Master Sgt. William P. Tooke, superintendent of ASACoE, who already holds the CSSLP credential, says that although ASACoE personnel are recognized as subject matter experts in application security, having a professional certification gives them an extra aura of knowledgeable authority as they begin working with new customers. Our team leads are all non-commissioned officers (NCOs) in the Air Force, which in the big picture, means that they re low ranking, explains Master Sgt. Tooke. So when they travel out for an assessment and they re telling someone that their baby is ugly, so to speak, that their systems are insecure, they are sometimes sitting across the table from a colonel or a GS14 or GS15. Having that certification gives us a little more credibility and gives them a little bit of added trust that we really do know what we re talking about. 1

Addressing New Realities Application vulnerabilities are now considered the No. 1 threat among information security professionals, according to the 2011 Global Workforce Study, a Frost & Sullivan market survey sponsored by (ISC) 2. And information security experts have estimated that 90 percent of all reported security incidents result from exploits against defects in the design or code of software. Of course, there have always been threats by people who want to infiltrate DoD systems or do harm to the United States, and vulnerabilities are inherent in software. Software is developed by human beings and so it s going to have bugs, especially if you re using untrained people or those without a lot of experience, says Capt. Nicolas A. Aquino, chief technology officer (CTO) for ASACoE. With the advent of cloud computing, mobile devices and other advancements, however, there has been a spike in the number of vulnerabilities because the software is being developed at such a rapid pace, with a lot of competition just to field the latest and greatest. At the same time, attackers are getting much more savvy. Despite these realities, ASACoE personnel have to spend much of their time raising awareness within the Air Force and the larger Department of Defense about the need to apply secure software practices during the application development process. Whereas traditional information assurance focuses on building perimeter defenses around data and systems housing data, the focus of software assurance is on integrating and building security into applications, explains Capt. Aquino. This means changing how security is viewed currently, which is as an after thought, to the ideal in which it s an integral part of the entire system s security from Day One. The organization s five traveling vulnerability assessment teams provide a standard training process when they meet with a program development office. During the first week at a customer site, they offer a crash course in software assurance to make sure that developers and program managers know, first and foremost, the reality of the threats that exist in software and how to mitigate those vulnerabilities, says Master Sgt. Tooke. During the second week of training, the ASACoE team helps assess Air Force systems for insecurities. These can include legacy and commercial-off-the-shelf applications and those still under development. They then train programmers and developers on how to use a suite of automated tools that ASACoE provides. Having the tools really helps make the process go quicker and narrows down their search, Capt. Aquino explains. Because in trying to go through a million lines of code manually, you may not notice a single character being off but the reality is that one character being off could pose a great, great threat to the overall system. Once personnel are utilizing the tools and other best practices provided to them, the ASACoE team continues to support the unit over another twoweek period. During that timeframe, they ll complete the triage assessment report, augment remediation efforts when feasible, conduct follow-up reviews 2

and continue to help fine-tune programmer and developer understanding of ASACoE processes, tools and best practices. ASACoE also acts as a central repository of information on software assurance threats, trends and successful mitigations. We don t just leave and wish them good luck, says Capt. Aquino. We give them a list of suggestions to help them continue to move forward; we recommend that they get together with all of their stakeholders and we ll usually recommend changes to their SDLC. ASACoE s ultimate goal in their training is to convince program offices to fully integrate software assurance into their SDLC. The Project Management Officers that have been the most successful have embraced the entire process that we ve helped them establish, or they ve established their own based on our model, says Master Sgt. Tooke. But we ve also had the unsuccessful stories where the PMOs just wanted us to be a cure-all, to be there as a box to check, but not necessarily to embrace what we ve equipped them and trained them to do. People Skills Although tools and process are critical to bolstering security throughout the entire application lifecycle, the most critical resource in effectively securing applications is the workforce itself, according to Master Sgt. Tooke. People are vitally important to the entire process, he states. You need people to design the architecture and the initial code, and from a triaging and vulnerability standpoint, you need to have people backing that up as well. The automated tools may find vulnerabilities, but they can turn out to be false positives or false negatives, so you need someone with the knowledge and the judgment to recognize the difference. Well-trained programmers are also able to whittle down the massive amount of information that automated tools collect and turn it into something that is manageable. An automated tool can help you catch the vulnerabilities or coding errors, but you still need someone to decide, Hey, these vulnerabilities have a higher likelihood of exploitation but these other ones are not as likely to be exploited and then prioritize accordingly. For this reason, ASACoE personnel encourage programmers and developers at customer sites to continue advancing their knowledge level. We think it s really important for them to pursue the type of security training that programmers in the Air Force don t get right now, whether that involves going for a professional certification, enrolling in a commercial course or simply engaging in self-study, says Capt. Aquino. Any kind of supplemental training would be of benefit to them. And in fact, ASACoE is working with a functional manager within Air Force Human Resources to try to incorporate and mandate software assurance training at every level of the Computer Systems Programmer career field, from apprentice to seniorlevel manager. Aquino says this is especially critical in light of the fact that there is an internal push to rely even more 3

heavily on blue suit Air Force programmers in developing new applications. We re the ones with the security clearances and so we re a little bit more trusted than going out and hiring someone from outside the organization to come in and code a new system for us, he explains. Bottom-line Benefits When well-trained, knowledgeable personnel apply information security best practices to application development from start to finish, the benefits are numerous. Among these are clear cost savings, according to Aquino. If a software programmer is able to discover and fix a routine security vulnerability during the code design process, the cost is roughly $25 per vulnerability. By contrast, if that same vulnerability is not discovered until after the system is actually fielded, the cost jumps to $16,000. And then there s the case of a major Air Force weapons system that was able to avoid an estimated $500 million in rework and recycle costs because an ASACoE team helped catch a large number of hacker-prone vulnerabilities before the release and support phase. Other benefits include better budgeting and forecasting for stakeholders, an easier certification and accreditation process for legacy systems, protection of the Air Force brand and an increase in the overall performance, reliability and code quality of application software. It s really about inherently making your code and your systems more and more secure, which makes it harder for the attackers to do any damage and greatly enhances national security, says Master Sgt. Tooke. Our most important achievements have been helping our customers produce more secure, higher-quality software. In light of these benefits, ASACoE s work is getting attention and requests for help from other organizations that want to incorporate software security into their application development processes. We have worked with our sister services, DoD and other Federal agencies to build comprehensive knowledge and processes across the DoD, says Master Sgt. Tooke. Our processes have been utilized as a model for the other services and agencies to follow. And its work to increase awareness and knowledge among military programmers will continue. ASACoE will ultimately become a charter member of the still-being-developed DoD Software Assurance Community of Practice, which will be responsible for crafting software assurance governance and guidance for the entire DoD. Ultimately, we say that we want to work ourselves out of a job, says Aquino. When we do, that will mean that the Air Force no longer needs ASACoE because its development offices, both government and commercial, are effectively creating and delivering secure software by following a risk-based approach to addressing threats and vulnerabilities, says Aquino. This will take some time, but it should not be an unreasonable goal. 4

www.isc2.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information