The frequency and complexity of attacks upon the software assets of the United States Military is increasing at a rate which requires a massive organized response from the defense community. This threat is unlike anything encountered before and the response must be swift and focused. Currently the Navy and the Department of Defense are working multiple fronts in order to keep pace with the actual threats. The predominance of the attacks are focused in one area which should help focus a part of our defense. The Gartner report1 stated that 84% of all attacks are at the application layer. Therefore, securing the application layer should be the top priority. To achieve security in this area, computer scientists need to build software with security in mind from the beginning. However, most software developers have not been trained in secure coding techniques within their undergraduate programs. The solution lies with driving the culture of software development toward software assurance knowledge and practices; which is not a trivial undertaking. The goal of this article is to describe a grass roots training class that was created at the Naval Surface Warfare Center Dahlgren Division (NSWCDD) to provide software developers with an introduction to the fundamentals of software assurance and secure coding.
Introduction
The Cyber War has not only begun, but it is well underway. Sun Tzu in The Art of War2 offers not only insight but also a potential method for assessing whether one is prepared for battle.
If you know the enemy and know yourself…
You need not fear the result of a hundred battles.
If you know yourself but not the enemy…
For every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself…
You will succumb in every battle.
There have been a significant number of successful cyber attacks on the U.S. Government over the past several years, from the 2014 Office of Personnel Management Data Breach to the successful cyber attack on the IRS in 2016 and those are just the openly known attacks. Using Sun Tzu’s philosophy as an assessment, one is forced to admit that at best we don’t know our enemy (where and how they are most likely to attack) and at worst we don’t know ourselves either (where most of our vulnerabilities are located). The primary response to this scenario has been to create a wave of new defense methods and tools. The goal of this article is to review and outline the successes and lessons learned from a “grass roots” training class that was created at the Naval Surface Warfare Center Dahlgren Division (NSWCDD) to provide software developers an introduction to the fundamentals of software assurance to include secure coding.
Why Train Developers in Software Assurance?
The beginning was simple, a team of software engineers moved from satellite and mobile development to the mysterious realm of cyber R&D. In the software development community, there is a belief that network defenses, such as firewalls and intrusion detection systems, safeguard our software systems and therefore developers do not have to concern themselves with security at large. One of the early realizations the team had was that software applications are an attacker’s main target and network defenses can be defeated. Hackers try to use developers’ tools, such as input fields, and computer resources, such as memory, in ways that weren’t intended by the original designers. This is one of the primary ways hackers can obtain system access and information. For example, developers write code with the expectation of what constitutes normal inputs that the user will give to an application. Developers often test for accidental input errors, but they don’t design or code with the idea that someone is intentionally trying to take advantage of their application through a buffer overflow weakness.
Gary McGraw, IEEE Senior Member and Secure Coding expert, notes that 50% of vulnerabilities that attackers take advantage of occur in software design.3 The 2014 Gartner Research report stated that 84% of breaches exploit vulnerabilities in the applications themselves.1 These facts are not well known or understood among the majority of developers who are still not trained in secure software development in their undergraduate or graduate programs. However, as we came to realize, if the software itself can be the target and the weakest link in a system, then secure software can be the best defender. Even security defense tools are themselves software that can have vulnerabilities, and they must also be coded securely.
Therefore, secure software development became the focus and software developers became the fundamental solution. Why? Software developers take pride in their code and inherently strive to make their software solid and robust through areas such as reliability, scalability and maintainability. If software security was added to this list, through exposure and adoption of secure coding knowledge, then software would become intrinsically more secure. Code security would be naturally and automatically included in the design, architecture and daily development. Software assurance includes secure software development practices, processes and tools. It is part of the overarching software engineering umbrella. Upcoming new accreditations and processes are attempting to address cyber issues. However, success will be achieved most efficiently if software designers and developers understand and adopt software assurance principles in order to thwart hackers and fulfill their missions.