A layered shield

Telos helps the Air Force develop model of protection

Project: Application and database security

Agency: Air Force

Partners: Telos Corp., Cigital Inc., Fortify Software Inc., IBM/Watchfire Corp. and Application Security Inc.

Goal: Improve security for the application and database layers of Air Force
systems.

Obstacles: Many of the new systems are Web-based, exposing them to
more security vulnerabilities and hacker attacks.

Solution: A suite of tools to create multilayer protection.

Payoff: A model for application and data security has been established for
the Air Force and other agencies.

Transitioning from proprietary
systems to commercial
products and Web applications
has been a boon for the Air
Force.

The Air Force can implement
software more quickly,
widely and cheaply than with
the systems it used in the past.
The new model also comes
with new security issues. Like
other government agencies
and private organizations, the
Air Force is under constant
threat from hackers looking to
steal sensitive information. It's
a worldwide problem that's
mushroomed during the past
two years.

More than 165 million
records containing personal
information have been
breached since 2005, according
to the Privacy Rights
Clearinghouse, a nonprofit
consumer information and
advocacy organization.
Vulnerable databases and
Web applications are among
the leading contributors to the
problem.

To fight back, Air Force officials
have established an applications
and software assurance
center that provides a comprehensive
way to test and protect
the service's applications and
databases, said Greg Garcia,
director of the 754th
Electronic Systems Group at
Maxwell Air Force Base-
Gunter Annex, Ala. The center
eventually will be available to
the entire Air Force and could
be a model for other defense
and civilian agencies.

"The Air Force has really
transitioned from a developer
of software to an implementer
of software," Garcia said. "We've
shifted from the governmentowned,
government-developed
model to the commercial, off-the-shelf model."

With that, the Air Force has
moved from a client/server
world to net-centric operations,
which forces more applications to be Web-enabled.
Although that move and the
adoption of a plug-and-play
service-oriented architecture
enable faster adoption of software,
the Air Force faces a
challenge in securing new
systems.

"The way I like to phrase it is
that we need to secure the
work of the net, in addition to
the network," Garcia said.

For many years, the focus
has been on securing the network,
but little energy and few
resources were spent on the
applications that reside on the
network. Web-centric systems
bring a different set of vulnerabilities
to the forefront. Issues
such as cross-scripting or
authentication can lead to
breaches in a system.

The project started out by
conducting code analysis of
source code, compiled code
and the run environments.
That took about 18 months and
revealed that the vulnerabilities
in the world are evolving
quickly. Air Force officials realized
a concentrated effort was
needed to address such potential
vulnerabilities as they
develop.

Four components make up
the Center of Excellence:
  • A source code analysis suite.
  • A Web penetration tool to
    identify vulnerabilities.
  • Database protection.
  • The ability to protect Web
    applications until developers
    can fix source code.

Perimeter security

Telos Corp. won the contract
to help build the Application
Software Assurance Center of
Excellence. Telos' team
includes Cigital Inc., Fortify
Software Inc., IBM/Watchfire
Corp. and Application Security
Inc.

Over the years, the Defense
Department has done a good
job of building perimeter security
for its networks, said Ron
Dorman, vice president of
information assurance solutions
at Telos.

"That kind of defense is not
100 percent," Dorman said. "So
when somebody manages to
get through the hard coating
on the network layer and into
the application layer, this is
another layer of defenses."
The tools are used to look at
developed applications. That
will change as the center
expands and evolves, said
Rinaldi Pisani, a sales director
at Telos.

"Eventually the guys developing
applications will use the
source code analysis tool during
that upfront process so
that the code gets built
securely from the beginning,"
he said.

Applications built for medical
facilities, for example, will
benefit from the suite of tools
because Social Security numbers
and critical information
are often a major part of those
applications.

Application Security's
DbProtect suite will be the
main tool used to protect data
on Air Force systems. It combines
discovery, vulnerability
scanning, real-time activity
monitoring, auditing and
encryption. It also helps
ensure that regulatory compliance
requirements are met.

The suite is designed as a
layer of a multifaceted defense
system, said Ted Julian, vice
president of marketing and
strategy for Application
Security.

"What's unique about this
Air Force project is the relative
comprehensiveness of their
approach to try and solve this
data security epidemic," he
said.

"There is no silver bullet,
because if there was one, we
wouldn't be in the security
predicament we're in now."

Automated approach

Database security is a
response to hackers changing
their attacks to focus on stealing
data they can sell.
Security installed where the
data lives ensures it's secure
no matter how the hackers
might access it. It also
secures against rogue insiders
who don't need to break
through the firewall to access
data.

DbProtect addresses common
security holes, such as
changing all the default IDs
and passwords in a database.
That sounds simple, and in
some ways, it is. "The problem
is that, for a modern database,
there are between two and
three dozen default services
that get installed with a
default installation," Julian
said.

Agencies can have hundreds
and even thousands of databases.
"Multiply a thousand by
two dozen accounts, that's a
lot of checks that you need to
run and if you don't have an
automated way to do that,
you'll probably never get it
done."

Staff writer Doug Beizer can be
reached at dbeizer@1105govinfo.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts

  • How Do You Support the Project Lifecycle?

    How do best-in-class project-based companies create and actively mature successful organizations? They find the right mix of people, processes and tools that enable them to effectively manage the project lifecycle. REGISTER for this webinar to hear how properly managing the cycle of capture, bid, accounting, execution, IPM and analysis will allow you to better manage your programs to stay on scope, schedule and budget. Learn More!

  • Sequestration, LPTA and the Top 100

    Join Washington Technology’s Editor-in-Chief Nick Wakeman as he analyzes the annual Top 100 list and reveals critical insights into how market trends have impacted its composition. You'll learn what movements of individual companies means and how the market overall is being impacted by the current budget environment, how the Top 100 rankings reflect the major trends in the market today and how the biggest companies in the market are adapting to today’s competitive environment. Learn More!