Securing the Software: An Industry PerspectiveInsights on New DOD Legislation That Redefines Software Security
The DOD has responded with the 2011 National Defense Authorization Act, which emphasizes the need to protect and defend the software layer, an overlooked factor in IT security.
"Software assurance is very tightly coupled with mission assurance," says Fortify's Public Sector President Kelly Collins.
For the past three decades, the primary focus for hackers was trying to get into networks and stealing files off of a file system, says Fortify's Federal Division CTO Rob Roy. The network problem was resolved using firewalls and intrusion detection. But now, those defenses have been opened up to allow legitimate access to networks for remote workers to do their jobs.
"We've gotten to a point now where our applications and software that are managing all of these missions and containing all of the data are the weak point. We're at a point where we have to re-visit that policy. That is what this bill has looked at," Roy says in Fortify's new podcast for Information Security Media Group [transcript below].
Fortify's podcast on NDAA and APT, presented by Public Sector President Kelly Collins and Federal Division CTO Rob Roy, is divided into two segments.
Segment one discusses:
- What is new about the software security assurance provisions in the 2011 NDAA?
- Why is the focus on the software layer important?
- Why has the software layer been deemphasized in the past?
- What does the new NDAA policy do to address this challenge?
Segment two discusses:
- What solutions are available to enable the DOD to comply with the new NDAA policy?
- How can the DOD ensure their software is as secure, or more secure, than their hardware?
- How is the systems integrator community getting involved?
As the leader of Fortify's Public Sector Division, Kelly Collins works closely with public officials to raise awareness on the critical need for cogent policy to protect government systems from cyberattack. She ensures customer success with Fortify's products in the Defense and Intelligence Community as well as at Civilian government agencies.
Rob Roy is currently the Federal Chief Technology Officer at Fortify Software. In this capacity, he represents Fortify's technology leadership to Government, Systems Integrator and Critical Infrastructure organizations seeking to address their Software Security Assurance challenges. He believes that protecting information at the application level is the last line of defense in a never-ending cyber threat that is increasing in both sophistication and harm to the international community.
2011 National Defense Authorization ActINTERVIEWER: The Advanced Persistent Threat (APT) is quickly becoming very adapted at penetrating government network defenses. Historically, security policies were heavily focused on hardware and network security assets as opposed to software, and APT took full advantage of this policy gap by focusing its efforts on the software layer. The defense department is taking the leadership position by defining policy that emphasizes the need to protect and defend the software layer. Through new software security assurance provisions and the 2011 National Defense Authorization Act, DOD is treating software as a key component of a comprehensive defense in-depth strategy. It's not applying the same principles and focus to the software layer that it has been to hardware and network resources, insuring software is not part of the attack surface. Kelly, tell me what is new about the software security assurance provisions in the 2011 National Defense Authorization Act.
KELLY COLLINS: This is the first time that there was a section on software assurance in the DOD bill, which we viewed as an acknowledgment that there has been a perceived hole in security policy. Most of the focus has been on hardware and network security. In recent years, with the growth of focused APT and the level of hacking that has occurred in the government, particularly in the DOD, breaches have resulted in software penetration and vulnerability in the software layer, enabling hackers to get into government systems or government applications. Therefore, I believe that the committees focused on this issue were very mindful of wanting to create policy that is based on the software layer in order to defend the applications, and ultimately the mission assurance, of those systems. We believe at Fortify that software assurance is very tightly coupled with mission assurance.
INTERVIEWER: Rob, why has the software aspect been de-emphasized until now?
ROB ROY: What we've seen for the last twenty to thirty years is that there was recognition from a policy perspective, with things like the Federal Information Security Management Act [FISMA], that the primary focus for the original hackers was trying to get into networks and stealing files off of a file system. As our networks have grown up and we've addressed that problem with things like firewalls and intrusion detection, we've created a very elaborate defense in-depth strategy. What we've done with the internet coming along and being so pervasive is we've had to open up all of those defenses and let legitimate people into our networks to accomplish their mission and their jobs. We've gotten to a point now where our applications and software that are managing all of these missions and containing all of the data are now the weak point. We have not focused on it. We focused on just keeping the people out of the networks. Now we're at a point where we have to re-visit that policy. That is what this bill has looked at.
INTERVIEWER: It sounds like the issue has been, "How can we break into the building and into the file cabinet?" And now people are realizing that it's the files in the file cabinet that the bad guys are after. People understand the bad guys don't just want to get into the office; they want to steal those files out of that cabinet.
COLLINS: Right, and take it out little-by-little, encrypted on the channel on the way out so you may not know what was stolen initially until you do some heavy and deep forensics. What we want people to understand is that there's hope. There are technologies, automated technologies, which will easily allow you to find the vulnerabilities in millions of lines of code in several hours. The find is very easy today. That has been automated. Companies like Fortify and others do that very well. The fix, or the remediation, is where the policy guidance will come in and be a great help going forward. Regarding vulnerabilities, I'm going to use one as a kind of a lightening rod, because it's been very popular. It's called SQL Injection, or Sequel Injection, how you inject and talk to a database in order to get information out of that database. It's one of the most common hacks. It's usually in the top five of any kind of scan that we do on a software system. They are easy to find and fix. The hope is that the policy guidance will assist systems integrators, who build the majority of the software systems in the federal government, teaching them to be mindful of eradicating the top vulnerabilities that are being exploited by the APT, and be able to fix those immediately. Legacy code, particularly section 932 of the DOD bill, calls out specifically to make sure those legacy systems do find and fix problems. Also, new systems that are developed from here on out should be much more mindful of making sure simple things like Sequel Injections are not available in the code in order to be exploited.
INTERVIEWER: Let's talk about solutions in part two of our series. You are hearing Kelly Collins, Fortify's President of the Public Sector and Rob Roy, Fortify's Chief Technology Officer of the Federal Division. You can learn more about Fortify's approach to software security assurance by visiting Fortify.com. The Fortify podcast series is produced by ConnellyWorks and Federal Business Media.
In part one of this series, you heard about software assurance provisions in the 2011 National Defense Authorization Act that will change the way the DOD approaches security. In part two you'll learn about solutions that will not only make you compliant with policy, but also assure your software is as secure as, maybe more secure than, your hardware. Rob, the solution you provide is not just telling agencies where their vulnerabilities are, you also perform the more valuable service of telling agencies what to do right?
ROY: We would classify that as the whole realm of software security assurance as pulled out in this DOD bill. That is the field of recognizing how to build secure software. But first you have to acknowledge where your problems are. We will explore the software, scan it, find problems and then help give guidance on not only how to remove those but how to prevent their creation in the first place. That comes full cycle in software security assurance by training and educating developers, giving them tools and technologies and implementing policy within an organization to understand what software security is all about to move this ball forward as we move ahead with software assurance.
INTERVIEWER: Kelly, when should Fortify be involved in this process?
COLLINS: There is a significant amount of cost savings, or cost avoidance, to utilize these technologies early in the development cycle on the developer's desktop. It is also, we would point out at this time, because of the acknowledgment in section 932 that there is going to be an incredible amount of services opportunity for federal systems integrators to remediate this code. Some of the programs may be years old. There are new prime and sub relationships. They may not have been the original developer of that software, yet it's incumbent upon them to find, fix and remediate those vulnerabilities out of the code in order to go forward with strong mission assurance. But the government and the DOD are going to be very reliant upon the systems integration community to do and perform that remediation for them.
INTERVIEWER: Rob, what should I know and what should I do next?
ROY: The guidance has been there, but it's been suggested guidance. Now there are teeth to it, and we have been preparing for this day for many years by providing the frameworks by which folks within the DOD community can get started immediately; implementing the policy, receiving the technologies, training the people that are developing these and working with the systems integrators to help them create these processes by which they can deliver more secure code to their government clients.
INTERVIEWER: Kelly, your final thoughts?
COLLINS: I want the technical community and the congressional committee to have hope that these automated technologies will allow them to find the vulnerabilities in their system, knowing that many of them are easy to fix, but not all. There is going to be time, attendance and funding that needs to occur in the systems integration community to do this, but the point is we should be much more empowered with our thought process of knowing that we can make it a lot harder for the APT that is preying upon our defense systems, stealing data and intellectual property. We could beef up our defense of posture, the software layer, very easily in the next few years. I think that would have a very positive impact on the way we are being preyed upon electronically.