A layered shield

Telos helps the Air Force develop model of protection

Project: Application and database security

Agency: Air Force

Partners: Telos Corp., Cigital Inc., Fortify Software Inc., IBM/Watchfire Corp. and Application Security Inc.

Goal: Improve security for the application and database layers of Air Force

Obstacles: Many of the new systems are Web-based, exposing them to
more security vulnerabilities and hacker attacks.

Solution: A suite of tools to create multilayer protection.

Payoff: A model for application and data security has been established for
the Air Force and other agencies.

Transitioning from proprietary
systems to commercial
products and Web applications
has been a boon for the Air

The Air Force can implement
software more quickly,
widely and cheaply than with
the systems it used in the past.
The new model also comes
with new security issues. Like
other government agencies
and private organizations, the
Air Force is under constant
threat from hackers looking to
steal sensitive information. It's
a worldwide problem that's
mushroomed during the past
two years.

More than 165 million
records containing personal
information have been
breached since 2005, according
to the Privacy Rights
Clearinghouse, a nonprofit
consumer information and
advocacy organization.
Vulnerable databases and
Web applications are among
the leading contributors to the

To fight back, Air Force officials
have established an applications
and software assurance
center that provides a comprehensive
way to test and protect
the service's applications and
databases, said Greg Garcia,
director of the 754th
Electronic Systems Group at
Maxwell Air Force Base-
Gunter Annex, Ala. The center
eventually will be available to
the entire Air Force and could
be a model for other defense
and civilian agencies.

"The Air Force has really
transitioned from a developer
of software to an implementer
of software," Garcia said. "We've
shifted from the governmentowned,
model to the commercial, off-the-shelf model."

With that, the Air Force has
moved from a client/server
world to net-centric operations,
which forces more applications to be Web-enabled.
Although that move and the
adoption of a plug-and-play
service-oriented architecture
enable faster adoption of software,
the Air Force faces a
challenge in securing new

"The way I like to phrase it is
that we need to secure the
work of the net, in addition to
the network," Garcia said.

For many years, the focus
has been on securing the network,
but little energy and few
resources were spent on the
applications that reside on the
network. Web-centric systems
bring a different set of vulnerabilities
to the forefront. Issues
such as cross-scripting or
authentication can lead to
breaches in a system.

The project started out by
conducting code analysis of
source code, compiled code
and the run environments.
That took about 18 months and
revealed that the vulnerabilities
in the world are evolving
quickly. Air Force officials realized
a concentrated effort was
needed to address such potential
vulnerabilities as they

Four components make up
the Center of Excellence:
  • A source code analysis suite.
  • A Web penetration tool to
    identify vulnerabilities.
  • Database protection.
  • The ability to protect Web
    applications until developers
    can fix source code.

Perimeter security

Telos Corp. won the contract
to help build the Application
Software Assurance Center of
Excellence. Telos' team
includes Cigital Inc., Fortify
Software Inc., IBM/Watchfire
Corp. and Application Security

Over the years, the Defense
Department has done a good
job of building perimeter security
for its networks, said Ron
Dorman, vice president of
information assurance solutions
at Telos.

"That kind of defense is not
100 percent," Dorman said. "So
when somebody manages to
get through the hard coating
on the network layer and into
the application layer, this is
another layer of defenses."
The tools are used to look at
developed applications. That
will change as the center
expands and evolves, said
Rinaldi Pisani, a sales director
at Telos.

"Eventually the guys developing
applications will use the
source code analysis tool during
that upfront process so
that the code gets built
securely from the beginning,"
he said.

Applications built for medical
facilities, for example, will
benefit from the suite of tools
because Social Security numbers
and critical information
are often a major part of those

Application Security's
DbProtect suite will be the
main tool used to protect data
on Air Force systems. It combines
discovery, vulnerability
scanning, real-time activity
monitoring, auditing and
encryption. It also helps
ensure that regulatory compliance
requirements are met.

The suite is designed as a
layer of a multifaceted defense
system, said Ted Julian, vice
president of marketing and
strategy for Application

"What's unique about this
Air Force project is the relative
comprehensiveness of their
approach to try and solve this
data security epidemic," he

"There is no silver bullet,
because if there was one, we
wouldn't be in the security
predicament we're in now."

Automated approach

Database security is a
response to hackers changing
their attacks to focus on stealing
data they can sell.
Security installed where the
data lives ensures it's secure
no matter how the hackers
might access it. It also
secures against rogue insiders
who don't need to break
through the firewall to access

DbProtect addresses common
security holes, such as
changing all the default IDs
and passwords in a database.
That sounds simple, and in
some ways, it is. "The problem
is that, for a modern database,
there are between two and
three dozen default services
that get installed with a
default installation," Julian

Agencies can have hundreds
and even thousands of databases.
"Multiply a thousand by
two dozen accounts, that's a
lot of checks that you need to
run and if you don't have an
automated way to do that,
you'll probably never get it

Staff writer Doug Beizer can be
reached at dbeizer@1105govinfo.com.

About the Author

Doug Beizer is a staff writer for Washington Technology.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB