A layered shield

Transitioning from proprietarysystems to commercialproducts and Web applicationshas been a boon for the AirForce.The Air Force can implementsoftware more quickly,widely and cheaply than withthe systems it used in the past.The new model also comeswith new security issues. Likeother government agenciesand private organizations, theAir Force is under constantthreat from hackers looking tosteal sensitive information. It'sa worldwide problem that'smushroomed during the pasttwo years.More than 165 millionrecords containing personalinformation have beenbreached since 2005, accordingto the Privacy RightsClearinghouse, a nonprofitconsumer information andadvocacy organization.Vulnerable databases andWeb applications are amongthe leading contributors to theproblem.To fight back, Air Force officialshave established an applicationsand software assurancecenter that provides a comprehensiveway to test and protectthe service's applications anddatabases, said Greg Garcia,director of the 754thElectronic Systems Group atMaxwell Air Force Base-Gunter Annex, Ala. The centereventually will be available tothe entire Air Force and couldbe a model for other defenseand civilian agencies."The Air Force has reallytransitioned from a developerof software to an implementerof software," Garcia said. "We'veshifted from the governmentowned,government-developedmodel to the commercial, off-the-shelf model."With that, the Air Force hasmoved from a client/serverworld to net-centric operations,which forces more applications to be Web-enabled.Although that move and theadoption of a plug-and-playservice-oriented architectureenable faster adoption of software,the Air Force faces achallenge in securing newsystems."The way I like to phrase it isthat we need to secure thework of the net, in addition tothe network," Garcia said.For many years, the focushas been on securing the network,but little energy and fewresources were spent on theapplications that reside on thenetwork. Web-centric systemsbring a different set of vulnerabilitiesto the forefront. Issuessuch as cross-scripting orauthentication can lead tobreaches in a system.The project started out byconducting code analysis ofsource code, compiled codeand the run environments.That took about 18 months andrevealed that the vulnerabilitiesin the world are evolvingquickly. Air Force officials realizeda concentrated effort wasneeded to address such potentialvulnerabilities as theydevelop.Four components make upthe Center of Excellence: Telos Corp. won the contractto help build the ApplicationSoftware Assurance Center ofExcellence. Telos' teamincludes Cigital Inc., FortifySoftware Inc., IBM/WatchfireCorp. and Application SecurityInc.Over the years, the DefenseDepartment has done a goodjob of building perimeter securityfor its networks, said RonDorman, vice president ofinformation assurance solutionsat Telos."That kind of defense is not100 percent," Dorman said. "Sowhen somebody manages toget through the hard coatingon the network layer and intothe application layer, this isanother layer of defenses."The tools are used to look atdeveloped applications. Thatwill change as the centerexpands and evolves, saidRinaldi Pisani, a sales directorat Telos."Eventually the guys developingapplications will use thesource code analysis tool duringthat upfront process sothat the code gets builtsecurely from the beginning,"he said.Applications built for medicalfacilities, for example, willbenefit from the suite of toolsbecause Social Security numbersand critical informationare often a major part of thoseapplications.Application Security'sDbProtect suite will be themain tool used to protect dataon Air Force systems. It combinesdiscovery, vulnerabilityscanning, real-time activitymonitoring, auditing andencryption. It also helpsensure that regulatory compliancerequirements are met.The suite is designed as alayer of a multifaceted defensesystem, said Ted Julian, vicepresident of marketing andstrategy for ApplicationSecurity."What's unique about thisAir Force project is the relativecomprehensiveness of theirapproach to try and solve thisdata security epidemic," hesaid."There is no silver bullet,because if there was one, wewouldn't be in the securitypredicament we're in now."Database security is aresponse to hackers changingtheir attacks to focus on stealingdata they can sell.Security installed where thedata lives ensures it's secureno matter how the hackersmight access it. It alsosecures against rogue insiderswho don't need to breakthrough the firewall to accessdata.DbProtect addresses commonsecurity holes, such aschanging all the default IDsand passwords in a database.That sounds simple, and insome ways, it is. "The problemis that, for a modern database,there are between two andthree dozen default servicesthat get installed with adefault installation," Juliansaid.Agencies can have hundredsand even thousands of databases."Multiply a thousand bytwo dozen accounts, that's alot of checks that you need torun and if you don't have anautomated way to do that,you'll probably never get itdone."