CASE STUDY—Software Assurance
A flight plan for safer software
Air Force program uses code analysis tools and a comprehensive process to fortify its apps
- By William Jackson
- Feb 09, 2009
Maj. Michael Kleffman is chief technology officer of the Air Force’s Application Software Assurance Center of Excellence (ASACoE) , based at Maxwell-Gunter Air Force Base, Ala. The center was established in 2007 as a response to the increasing severity and changing nature of cyber threats as a means to improve the security and reliability of its applications. Since then, it has trained 332 personnel, identified more than 750,000 weaknesses in 190 applications, provided fixes for more than 200,000 of them, and helped to eliminate or mitigate 25 of the most serious application vulnerabilities.
GCN: Briefly describe the Air Force's software assurance program.
KLEFFMAN: The mission of the Application Software Assurance Center of Excellence is to foster security in every step of the software development life cycle (SDLC) and in software acquisitions through tools, techniques and education. The ASACoE also works with the acquisition community to educate it about software assurance and to better understand the importance of including software assurance in software acquisitions. Finally, it is working to get automated tools and techniques included in the certification and accreditation process to ensure applications are being assessed for software-assurance vulnerabilities before they are allowed to be connected to the operational network.
GCN: What was the impetus for the program?
KLEFFMAN: In 2005, an Air Force application with personal information was compromised. The Air Force realized then that hackers were starting to change their strategies and were looking for important data that could be used for profit. The Air Force conducted a pilot program that looked at the source code of eight applications within the [service's] portfolio, using source code analysis tools from two vendors. Each tool found that all eight applications could be exploited, so the Air Force leadership was convinced it was time something was done to develop and buy more secure software. The ASACoE was funded and stood up Aug 31, 2007.
GCN: What kinds of tools and methods are you using?
KLEFFMAN: ASACoE provides software development program offices with three days of training. One day consists of secure software development, focusing on the weaknesses of programming languages that lead to vulnerabilities and how to mitigate or prevent these weaknesses from being coded in the software. The second day is spent teaching personnel how to effectively use the source code analysis tool, [named the Fortify Source Code Analyzer], in the development phase of the SDLC. Half of the third day is spent teaching how to effectively use the database analysis tool, [named Application Security’s AppDetective], to analyze database configuration. The second half of the day is spent on an overview of the management and shielding tools, [named Fortify Manager and Real-Time Analyzer].
ASACoE will then send a team of four personnel to work with the development program office for five days to assess their application. The ASACoE team will assist the development team with conducting a scan of their code, a scan of their database, and finally will use a dynamic analysis tool [IBM Rational AppScan] to scan the application in a test environment.
The ASACoE team will then assist with analyzing the results of the scans to help them understand the most important findings and to help them determine the false positives and the false negatives. During this week, the ASACoE team will also instruct the program office on best practices of using the tools to ensure that coded weaknesses are addressed at the earliest possible time in the SDLC.
The ASACoE team will then conduct another five days of analysis on the scan results and provide the development program office a final report with suggested fix actions. If the ASACoE team thinks a more in-depth assessment is needed, it will recommend a detailed risk assessment. A detailed risk assessment consists of reviewing the architecture of the application and any dependencies it may have with other applications and takes anywhere from four to 12 weeks for one application. The ASACoE team then provides follow-up assistance with the development program office any time it is needed.
GCN: What lessons have you learned, and what advice would you offer to others about software assurance?
KLEFFMAN: Buy-in from management is a must. All levels of management, including the program manager, must understand the importance of software assurance and be willing to accept the additional upfront cost of incorporating software assurance into the SDLC of all software. Management must understand that by incorporating software assurance from the beginning, they will save money in the long term by fixing software weaknesses earlier in the development life cycle.
Education is key to building a sound software-assurance framework in any organization. Secure programming techniques are not taught by academia, so to ensure your developers follow best practices and write secure code, they must be educated. Automated tools are a must for improving the assurance of your software, but they are not the silver bullet. You still have to have a mature engineering process and fully understand the importance of including software assurance from the beginning through the end of the SDLC.