• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Design and Development Process for Assured Software – DoD Software Assurance Community of Practice: Volume 1 / Hacker 101 & Secure Coding: A Grassroots Movement towards Software Assurance

Hacker 101 & Secure Coding: A Grassroots Movement towards Software Assurance

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 2 - Design and Development Process for Assured Software – DoD Software Assurance Community of Practice: Volume 1

Authors: Carol Lee, Jasen Moran, Joel McCormick, Kolby Hoover, Matt Hackman, Paul McFall, Roger Lamb and Scott Nickeson
Posted: 07/13/2017 | Leave a Comment

The frequency and complexity of attacks upon the software assets of the United States Military is increasing at a rate which requires a massive organized response from the defense community. This threat is unlike anything encountered before and the response must be swift and focused. Currently the Navy and the Department of Defense are working multiple fronts in order to keep pace with the actual threats. The predominance of the attacks are focused in one area which should help focus a part of our defense. The Gartner report1 stated that 84% of all attacks are at the application layer. Therefore, securing the application layer should be the top priority. To achieve security in this area, computer scientists need to build software with security in mind from the beginning. However, most software developers have not been trained in secure coding techniques within their undergraduate programs. The solution lies with driving the culture of software development toward software assurance knowledge and practices; which is not a trivial undertaking. The goal of this article is to describe a grass roots training class that was created at the Naval Surface Warfare Center Dahlgren Division (NSWCDD) to provide software developers with an introduction to the fundamentals of software assurance and secure coding.

Introduction

The Cyber War has not only begun, but it is well underway. Sun Tzu in The Art of War2 offers not only insight but also a potential method for assessing whether one is prepared for battle.

If you know the enemy and know yourself…
You need not fear the result of a hundred battles.
If you know yourself but not the enemy…
For every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself…
You will succumb in every battle.

There have been a significant number of successful cyber attacks on the U.S. Government over the past several years, from the 2014 Office of Personnel Management Data Breach to the successful cyber attack on the IRS in 2016 and those are just the openly known attacks. Using Sun Tzu’s philosophy as an assessment, one is forced to admit that at best we don’t know our enemy (where and how they are most likely to attack) and at worst we don’t know ourselves either (where most of our vulnerabilities are located). The primary response to this scenario has been to create a wave of new defense methods and tools. The goal of this article is to review and outline the successes and lessons learned from a “grass roots” training class that was created at the Naval Surface Warfare Center Dahlgren Division (NSWCDD) to provide software developers an introduction to the fundamentals of software assurance to include secure coding.

Why Train Developers in Software Assurance?

The beginning was simple, a team of software engineers moved from satellite and mobile development to the mysterious realm of cyber R&D. In the software development community, there is a belief that network defenses, such as firewalls and intrusion detection systems, safeguard our software systems and therefore developers do not have to concern themselves with security at large. One of the early realizations the team had was that software applications are an attacker’s main target and network defenses can be defeated. Hackers try to use developers’ tools, such as input fields, and computer resources, such as memory, in ways that weren’t intended by the original designers. This is one of the primary ways hackers can obtain system access and information. For example, developers write code with the expectation of what constitutes normal inputs that the user will give to an application. Developers often test for accidental input errors, but they don’t design or code with the idea that someone is intentionally trying to take advantage of their application through a buffer overflow weakness.

Gary McGraw, IEEE Senior Member and Secure Coding expert, notes that 50% of vulnerabilities that attackers take advantage of occur in software design.3 The 2014 Gartner Research report stated that 84% of breaches exploit vulnerabilities in the applications themselves.1 These facts are not well known or understood among the majority of developers who are still not trained in secure software development in their undergraduate or graduate programs. However, as we came to realize, if the software itself can be the target and the weakest link in a system, then secure software can be the best defender. Even security defense tools are themselves software that can have vulnerabilities, and they must also be coded securely.

Therefore, secure software development became the focus and software developers became the fundamental solution. Why? Software developers take pride in their code and inherently strive to make their software solid and robust through areas such as reliability, scalability and maintainability. If software security was added to this list, through exposure and adoption of secure coding knowledge, then software would become intrinsically more secure. Code security would be naturally and automatically included in the design, architecture and daily development. Software assurance includes secure software development practices, processes and tools. It is part of the overarching software engineering umbrella. Upcoming new accreditations and processes are attempting to address cyber issues. However, success will be achieved most efficiently if software designers and developers understand and adopt software assurance principles in order to thwart hackers and fulfill their missions.

Pages: Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7

Previous Article:
« Software Assurance in The Agile Software Development...
Next Article:
Is Our Software REALLY Secure? »

References

  1. Feiman Joseph, “Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves”. (https://www.gartner.com/doc/2856020/maverick-research-stop-protecting-apps)
  2. Galvin, D., L. Giles, and G. Stade. “Sun Tzu: The Art of War.” (2003).
  3. http://theinstitute.ieee.org/special-reports/special-reports/10-recommendations-for-avoiding-software-security-design-flaws
  4. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  5. DoDI 5200.44 - Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) - (http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf)
  6. National Defense Authorization Act for Fiscal Year 2013 (2013 NDAA S933) (http://www.dtic.mil/congressional_budget/pdfs/FY2013_pdfs/AUTH_CRPT-112hrpt705.pdf)
  7. http://www.cyber.umd.edu/sites/default/files/documents/symposium/fisher-HACMS-MD.pdf
  8. http://world.std.com/~reinhold/diceware.html

Authors

Carol Lee
Carol Lee
Carol Lee works at the Naval Surface Warfare Center in Dahlgren, Virginia. She is the Navy counterpart lead for the Joint Federated Assurance Center Software Assurance Technical Working Group. Mrs. Lee has an M.S. in Computer Science from Virginia Commonwealth University (VCU) and over 15 years of experience in leading software development teams and developing software products for the Navy and DoD. She has developed code for mathematical algorithms for the Statistical Modeling and Estimation of Reliability Functions for Systems (SMERFS3) project; worked on web collaboration software; and lead teams in the development of tactical decision aids, a satellite operation center, mobile handset command and control and cyber situational awareness applications. Additionally, she created the vision for the training in this article and has built a Software Assurance and penetration testing team.
Jasen Moran
Jasen Moran
Jasen Moran is a computer scientist for the Department of Defense. He has a Master of Science degree in Secure Software Engineering and a Bachelor's degree in Computer Science, both from James Madison University. His professional areas of interest include network security, digital forensics, application hardening and all things Python.
Joel McCormick
Joel McCormick
Joel McCormick is a lead software developer with 15 years of experience in the field, including significant time spent in C and C++. He works at the Naval Surface Warfare Center in Dahlgren, Virginia and has a degree in Computer Science and certifications in exploit research and development.
Kolby Hoover
Kolby Hoover
Kolby Hoover is currently working for the Naval Surface Warfare Center Dahlgren Division as a technical lead for the newly formed NAVSEA Red Team. He has a B.S. in Computer Engineering from Christopher Newport University and is currently working on his Master’s Degree in Cybersecurity Engineering from the University of Maryland.
Matt Hackman
Matt Hackman
Matt Hackman is a software engineer currently working with the Department of Defense. He has fifteen years of experience in the engineering and software development world. He has lead and contributed to projects involving a wide range of subject matter including: cyber security, machine learning, chemical modeling, satellite communications, geospatial modeling and analysis, and mission assurance. Mr. Hackman holds degrees in Computer Science and Chemistry and certifications in cyber security incident response handling.
Paul McFall
Paul McFall
Paul McFall is currently working for the Naval Surface Warfare Center Dahlgren Division as a technical lead for the newly formed NAVSEA Red Team. He has a M.S. in Computer Engineering.
Roger Lamb
Roger Lamb
Roger Lamb is a software developer at NSWC Dahlgren Division working on cyber situational awareness tools. Mr. Lamb has a Master of Science degree in Computer Science from Virginia Commonwealth University and a B.S. in Computer Science from University of Mary Washington. Mr. Lamb’s experiences include software work in test development, satellite radios, cyber situation tools, mobile development, and various works in open source projects. He was has a certificate from Virginia Commonwealth University in Cyber security.
Scott Nickeson
Scott Nickeson
Scott Nickeson has a B.S. in Computer Science from Georgia Institute of Technology and 15 years of professional software development experience at NSWCDD.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

Data Privacy Day - Jan 28

Data Privacy Day is January 28th

You can help create a global community that respects privacy, safeguards data, and enables trust. You can help teach others about privacy at home, at work, and in your community.

Learn How

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Privacy Impact Assessment: The Foundation for Managing Privacy Risk Series: The CSIAC Podcast
  • Agile Condor: Supercomputing at the Edge for Intelligent Analytics Series: CSIAC Webinars
  • Securing the Supply Chain: A Hybrid Approach to Effective SCRM Policies and Procedures Series: The CSIAC Podcast
  • DoD Vulnerability Disclosure Program (VDP) Series: CSIAC Webinars
  • 5 Best Practices for a Secure Infrastructure Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Wed 20

SANS Stay Sharp: Blue Team Operations 2021

January 18 - January 20
Organizer: SANS Institute
Wed 20

SANS Cyber Security Central: Jan 2021

January 18 - January 23
Organizer: SANS Institute
Wed 20

AI Champions, Online – Supply Chain

January 19 @ 14:00 - January 21 @ 15:30 EST
Thu 21

SANS Cyber Threat Intelligence Summit 2021

January 21 - January 22
Organizer: SANS Institute
Fri 22

SANS Cyber Threat Intelligence Solutions Track 2021

January 22 @ 09:00 - 17:00 EST
Organizer: SANS Institute
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.