CSIAC

Cyber Security and Information Systems Information Analysis Center

/ Journal Issues / Design and Development Process for Assured Software – DoD Software Assurance Community of Practice: Volume 1 / Hacker 101 & Secure Coding: A Grassroots Movement towards Software Assurance

Hacker 101 & Secure Coding: A Grassroots Movement towards Software Assurance

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 2 - Design and Development Process for Assured Software – DoD Software Assurance Community of Practice: Volume 1
Authors: Carol Lee, Jasen Moran, Joel McCormick, Kolby Hoover, Matt Hackman, Paul McFall, Roger Lamb and Scott Nickeson
| Leave a Comment

The frequency and complexity of attacks upon the software assets of the United States Military is increasing at a rate which requires a massive organized response from the defense community. This threat is unlike anything encountered before and the response must be swift and focused. Currently the Navy and the Department of Defense are working multiple fronts in order to keep pace with the actual threats. The predominance of the attacks are focused in one area which should help focus a part of our defense. The Gartner report1 stated that 84% of all attacks are at the application layer. Therefore, securing the application layer should be the top priority. To achieve security in this area, computer scientists need to build software with security in mind from the beginning. However, most software developers have not been trained in secure coding techniques within their undergraduate programs. The solution lies with driving the culture of software development toward software assurance knowledge and practices; which is not a trivial undertaking. The goal of this article is to describe a grass roots training class that was created at the Naval Surface Warfare Center Dahlgren Division (NSWCDD) to provide software developers with an introduction to the fundamentals of software assurance and secure coding.

Introduction

The Cyber War has not only begun, but it is well underway. Sun Tzu in The Art of War2 offers not only insight but also a potential method for assessing whether one is prepared for battle.

If you know the enemy and know yourself…
You need not fear the result of a hundred battles.
If you know yourself but not the enemy…
For every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself…
You will succumb in every battle.

There have been a significant number of successful cyber attacks on the U.S. Government over the past several years, from the 2014 Office of Personnel Management Data Breach to the successful cyber attack on the IRS in 2016 and those are just the openly known attacks. Using Sun Tzu’s philosophy as an assessment, one is forced to admit that at best we don’t know our enemy (where and how they are most likely to attack) and at worst we don’t know ourselves either (where most of our vulnerabilities are located). The primary response to this scenario has been to create a wave of new defense methods and tools. The goal of this article is to review and outline the successes and lessons learned from a “grass roots” training class that was created at the Naval Surface Warfare Center Dahlgren Division (NSWCDD) to provide software developers an introduction to the fundamentals of software assurance to include secure coding.

Why Train Developers in Software Assurance?

The beginning was simple, a team of software engineers moved from satellite and mobile development to the mysterious realm of cyber R&D. In the software development community, there is a belief that network defenses, such as firewalls and intrusion detection systems, safeguard our software systems and therefore developers do not have to concern themselves with security at large. One of the early realizations the team had was that software applications are an attacker’s main target and network defenses can be defeated. Hackers try to use developers’ tools, such as input fields, and computer resources, such as memory, in ways that weren’t intended by the original designers. This is one of the primary ways hackers can obtain system access and information. For example, developers write code with the expectation of what constitutes normal inputs that the user will give to an application. Developers often test for accidental input errors, but they don’t design or code with the idea that someone is intentionally trying to take advantage of their application through a buffer overflow weakness.

Gary McGraw, IEEE Senior Member and Secure Coding expert, notes that 50% of vulnerabilities that attackers take advantage of occur in software design.3 The 2014 Gartner Research report stated that 84% of breaches exploit vulnerabilities in the applications themselves.1 These facts are not well known or understood among the majority of developers who are still not trained in secure software development in their undergraduate or graduate programs. However, as we came to realize, if the software itself can be the target and the weakest link in a system, then secure software can be the best defender. Even security defense tools are themselves software that can have vulnerabilities, and they must also be coded securely.

Therefore, secure software development became the focus and software developers became the fundamental solution. Why? Software developers take pride in their code and inherently strive to make their software solid and robust through areas such as reliability, scalability and maintainability. If software security was added to this list, through exposure and adoption of secure coding knowledge, then software would become intrinsically more secure. Code security would be naturally and automatically included in the design, architecture and daily development. Software assurance includes secure software development practices, processes and tools. It is part of the overarching software engineering umbrella. Upcoming new accreditations and processes are attempting to address cyber issues. However, success will be achieved most efficiently if software designers and developers understand and adopt software assurance principles in order to thwart hackers and fulfill their missions.

References

  1. Feiman Joseph, “Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves”. (https://www.gartner.com/doc/2856020/maverick-research-stop-protecting-apps)
  2. Galvin, D., L. Giles, and G. Stade. “Sun Tzu: The Art of War.” (2003).
  3. http://theinstitute.ieee.org/special-reports/special-reports/10-recommendations-for-avoiding-software-security-design-flaws
  4. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  5. DoDI 5200.44 - Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) - (http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf)
  6. National Defense Authorization Act for Fiscal Year 2013 (2013 NDAA S933) (http://www.dtic.mil/congressional_budget/pdfs/FY2013_pdfs/AUTH_CRPT-112hrpt705.pdf)
  7. http://www.cyber.umd.edu/sites/default/files/documents/symposium/fisher-HACMS-MD.pdf
  8. http://world.std.com/~reinhold/diceware.html

Authors

Carol Lee
Carol Lee
Carol Lee works at the Naval Surface Warfare Center in Dahlgren, Virginia. She is the Navy counterpart lead for the Joint Federated Assurance Center Software Assurance Technical Working Group. Mrs. Lee has an M.S. in Computer Science from Virginia Commonwealth University (VCU) and over 15 years of experience in leading software development teams and developing software products for the Navy and DoD. She has developed code for mathematical algorithms for the Statistical Modeling and Estimation of Reliability Functions for Systems (SMERFS3) project; worked on web collaboration software; and lead teams in the development of tactical decision aids, a satellite operation center, mobile handset command and control and cyber situational awareness applications. Additionally, she created the vision for the training in this article and has built a Software Assurance and penetration testing team.
Jasen Moran
Jasen Moran
Jasen Moran is a computer scientist for the Department of Defense. He has a Master of Science degree in Secure Software Engineering and a Bachelor's degree in Computer Science, both from James Madison University. His professional areas of interest include network security, digital forensics, application hardening and all things Python.
Joel McCormick
Joel McCormick
Joel McCormick is a lead software developer with 15 years of experience in the field, including significant time spent in C and C++. He works at the Naval Surface Warfare Center in Dahlgren, Virginia and has a degree in Computer Science and certifications in exploit research and development.
Kolby Hoover
Kolby Hoover
Kolby Hoover is currently working for the Naval Surface Warfare Center Dahlgren Division as a technical lead for the newly formed NAVSEA Red Team. He has a B.S. in Computer Engineering from Christopher Newport University and is currently working on his Master’s Degree in Cybersecurity Engineering from the University of Maryland.
Matt Hackman
Matt Hackman
Matt Hackman is a software engineer currently working with the Department of Defense. He has fifteen years of experience in the engineering and software development world. He has lead and contributed to projects involving a wide range of subject matter including: cyber security, machine learning, chemical modeling, satellite communications, geospatial modeling and analysis, and mission assurance. Mr. Hackman holds degrees in Computer Science and Chemistry and certifications in cyber security incident response handling.
Paul McFall
Paul McFall
Paul McFall is currently working for the Naval Surface Warfare Center Dahlgren Division as a technical lead for the newly formed NAVSEA Red Team. He has a M.S. in Computer Engineering.
Roger Lamb
Roger Lamb
Roger Lamb is a software developer at NSWC Dahlgren Division working on cyber situational awareness tools. Mr. Lamb has a Master of Science degree in Computer Science from Virginia Commonwealth University and a B.S. in Computer Science from University of Mary Washington. Mr. Lamb’s experiences include software work in test development, satellite radios, cyber situation tools, mobile development, and various works in open source projects. He was has a certificate from Virginia Commonwealth University in Cyber security.
Scott Nickeson
Scott Nickeson
Scott Nickeson has a B.S. in Computer Science from Georgia Institute of Technology and 15 years of professional software development experience at NSWCDD.

Reader Interactions

Leave a Comment