Air Force tests baked-in software security
- By Sara Friedman
- Feb 28, 2018
To counter the growing sophistication of enemy hackers, the Air Force has embraced agile software development, testing and deployment processes.
Since cancelling the Air Operations Center (AOC) 10.2 contract with Northrup Grumman in July 2017, the Air Force has been adopting practices from Silicon Valley to improve software development. The AOC Pathfinder project, which aims to speed delivery of AOC weapon systems capabilities to the warfighter, takes advantage of automated builds multiple times a day, fuzzing and automated testing, according to Air Force Cyberspace Innovation Director Lauren Knausenberger.
“We are looking at redefining the way that we develop software in the government and how you bake security into the process so it is not an afterthought,” Knausenberger said at the Feb. 27 AFCEA Cybersecurity Technology Summit. “We are pushing toward proofs that have results -- where you might see language to fix vulnerabilities in 10 days or red teams and pen testing.”
Through the first two rounds of Hack the Air Force bug bounty program, hackers identified previously unknown vulnerabilities for cash. Air Force Chief Information Security Officer Peter Kim said the program was “enlightening” because it surfaced hidden problems and showed how to fix them.
The Air Force’s current certification process is part of the problem, Kim said, as it can be burdensome for coders who must check software packages.
“Every time you create a widget, you need to build a huge certification package that causes people pain and suffering and lots of sorrow,” Kim said. “It is hundreds of pages thick, and they need to do all of these controls … [which doesn’t work] in the modern age.”
AOC Pathfinder is creating a new process to develop code. “Our goal in the near term is to certify the AOC software factory so everything coming out is automatically certified," Knausenberger said. "We are pushing the proof toward the results.”
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.