Add another weapon to the Department of Defense's defense-in-depth arsenal. The U.S. Navy Network Warfare Command...
(NetWarCom) is recommending use of an automatic source code analysis tool throughout the DoD to help identify and remediate potential security vulnerabilities.
NetWarCom, in conjunction with Johns Hopkins University Applied Physics Laboratory (JHU/APL), recently evaluated source code analysis technology from Ounce Labs Inc. in Waltham, Mass. to test the capabilities of such a tool.
"The military has always had a defense-in-depth policy. Application security has increased in awareness the last few years because there are more attacks at the application layer than at the network layer," said CDR Tony Parrillo, director of the FORCEnet Execution Center, which operates and sets requirements for the Navy-wide network, as well as evaluates and recommends technology.
Parillo said attacks are on the rise -- there are tens of thousands of probes per hour on the Navy's networks, he said. "Some are just kid hackers, some are hacker organizations, and some are just looking for profit. Not to mention viruses and worms -- they affect us, too."
And the nature of those attacks? "Seventy-five percent of the attacks on the DoD occur at the application layer," Parrillo said.
Based on the evaluation of the Ounce Labs product, which Parrillo was recommended by the U.S. Air Force, NetWarCom and the Applied Physics Lab determined this type of tool could be helpful to the DoD in testing off-the-shelf software for security vulnerabilities and in helping its in-house development organizations reduce vulnerabilities. Outsourced custom development organizations could also be required to use it.
"When we contract with [a] software company, we could say you have to use this when you develop. And when we get the software, we would run it through the tool to see if there is an acceptable level of security, because security is never perfect," Parrillo said.
There are also efficiency benefits, Parrillo said. "We're increasingly relying on commercial software, but we can't afford to have people go through multimillion lines of code," he said. During the Ounce Labs evaluation, "we tested 95,000 lines of code in two hours."
Although the evaluation was done on the Ounce Labs product, it was ultimately the capability that was being tested. Once the recommendation is issued for this requirement of an automated source code analysis, the acquiring organizations would go through their own vendor and product evaluations, Parrillo said.
Any automated tool chosen would have to be "military friendly," Parrillo added. "Some military programs, particularly the older ones, have different subroutines and languages. We have different needs. There are not too many commercial organizations that write software to shoot missiles, so some modules didn't go through [the Ounce Labs tool] that well. We would have to work with the [tools] vendors to make it more friendly, but the capability that this represents is something the military really needs."
Tools market still young
"It's important for organizations to get a handle on what's in their source code," said Jack Danahy, chief technology officer at Ounce Labs. While the problem of software security is an old one, the market for application security tools is fairly young, he said. "But there have been a lot of advances over the last couple years in the understanding that you can't perimeterize your way to success," he said.
Danahy said many organizations are looking to test automated source code analysis tools, but the buying behavior is very young. They're "mainly people who really have a vested interest in security are the leading edge [of] acquirers," he said.
There are two main requirements for this type of tool, Danahy said. Can it scale and provide quick access to data, with a minimum of false positives? And does the breadth of findings go beyond just bugs?
The recommendation by NetWarCom to use this type of tool "is a pretty big deal," Danahy said. "NetWarCom is a joint function; its projects span multiple functional organizations across the military."
Danahy is also hopeful market awareness will rise. "In general, the more smart people are talking about a subject, the more it will raise people's awareness that this is what smart people are doing."
Dig Deeper on Software Security Test Best Practices