FREE eLETTER SIGNUP
Washington Technology Newswatch delivers the latest news to your inbox.
The National Magazine for Government Contractors.
Site Search Quickfind Go
Login | Register
Updated 5:54 PM EST August 29
CURRENT ISSUE About Us
Sprint
HOT TOPICS
Authentication/
Identity Management
Budget/Policy/Legislation
Civilian Agencies
Contract Awards
Defense
Emerging Technology
Financial Markets
Homeland Security
Industry News
Mergers/Acquisitions
Mobile/Wireless
Outsourcing
Procurement
Security
Small Business
State and Local
Telecom/IT Infrastructure
Top 100
RESOURCES
researchstore
SPONSOR SOLUTIONS

More >>

STORY TOOLS: Email this Story Print this Story Listen to this Story Listen Contact the Author Contact Order Reprints of this Story Reprints
Washington Technology home > 11/12/07 issue
11/12/07; Vol. 22 No. 20

A layered shield
Telos helps the Air Force develop model of protection

By Doug Beizer

Project overview

Project: Application and database security

Agency: Air Force
Partners: Telos Corp., Cigital Inc., Fortify Software Inc., IBM/Watchfire Corp. and Application Security Inc.
Goal: Improve security for the application and database layers of Air Force systems.
Obstacles: Many of the new systems are Web-based, exposing them to more security vulnerabilities and hacker attacks.
Solution: A suite of tools to create multilayer protection.
Payoff: A model for application and data security has been established for the Air Force and other agencies.
RELATED TOPICS
Defense
Emerging technology
Tech Success
SHARE ARTICLE
Digg Digg Yahoo Yahoo
Del.icio.us Del.icio.us Google Google

Transitioning from proprietary systems to commercial products and Web applications has been a boon for the Air Force.

The Air Force can implement software more quickly, widely and cheaply than with the systems it used in the past. The new model also comes with new security issues. Like other government agencies and private organizations, the Air Force is under constant threat from hackers looking to steal sensitive information. It’s a worldwide problem that’s mushroomed during the past two years.

More than 165 million records containing personal information have been breached since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization. Vulnerable databases and Web applications are among the leading contributors to the problem.

To fight back, Air Force officials have established an applications and software assurance center that provides a comprehensive way to test and protect the service’s applications and databases, said Greg Garcia, director of the 754th Electronic Systems Group at Maxwell Air Force Base- Gunter Annex, Ala. The center eventually will be available to the entire Air Force and could be a model for other defense and civilian agencies.

“The Air Force has really transitioned from a developer of software to an implementer of software,” Garcia said. “We’ve shifted from the governmentowned, government-developed model to the commercial, off-the-shelf model.”

With that, the Air Force has moved from a client/server world to net-centric operations, which forces more applications to be Web-enabled. Although that move and the adoption of a plug-and-play service-oriented architecture enable faster adoption of software, the Air Force faces a challenge in securing new systems.

“The way I like to phrase it is that we need to secure the work of the net, in addition to the network,” Garcia said.

For many years, the focus has been on securing the network, but little energy and few resources were spent on the applications that reside on the network. Web-centric systems bring a different set of vulnerabilities to the forefront. Issues such as cross-scripting or authentication can lead to breaches in a system.

The project started out by conducting code analysis of source code, compiled code and the run environments. That took about 18 months and revealed that the vulnerabilities in the world are evolving quickly. Air Force officials realized a concentrated effort was needed to address such potential vulnerabilities as they develop.

Four components make up the Center of Excellence:

  • A source code analysis suite.
  • A Web penetration tool to identify vulnerabilities.
  • Database protection.
  • The ability to protect Web applications until developers can fix source code.
Perimeter security
Telos Corp. won the contract to help build the Application Software Assurance Center of Excellence. Telos’ team includes Cigital Inc., Fortify Software Inc., IBM/Watchfire Corp. and Application Security Inc.

Over the years, the Defense Department has done a good job of building perimeter security for its networks, said Ron Dorman, vice president of information assurance solutions at Telos.

“That kind of defense is not 100 percent,” Dorman said. “So when somebody manages to get through the hard coating on the network layer and into the application layer, this is another layer of defenses.” The tools are used to look at developed applications. That will change as the center expands and evolves, said Rinaldi Pisani, a sales director at Telos.

“Eventually the guys developing applications will use the source code analysis tool during that upfront process so that the code gets built securely from the beginning,” he said.

Applications built for medical facilities, for example, will benefit from the suite of tools because Social Security numbers and critical information are often a major part of those applications.

Application Security’s DbProtect suite will be the main tool used to protect data on Air Force systems. It combines discovery, vulnerability scanning, real-time activity monitoring, auditing and encryption. It also helps ensure that regulatory compliance requirements are met.

The suite is designed as a layer of a multifaceted defense system, said Ted Julian, vice president of marketing and strategy for Application Security.

“What’s unique about this Air Force project is the relative comprehensiveness of their approach to try and solve this data security epidemic,” he said.

“There is no silver bullet, because if there was one, we wouldn’t be in the security predicament we’re in now.”

Automated approach
Database security is a response to hackers changing their attacks to focus on stealing data they can sell. Security installed where the data lives ensures it’s secure no matter how the hackers might access it. It also secures against rogue insiders who don’t need to break through the firewall to access data.

DbProtect addresses common security holes, such as changing all the default IDs and passwords in a database. That sounds simple, and in some ways, it is. “The problem is that, for a modern database, there are between two and three dozen default services that get installed with a default installation,” Julian said.

Agencies can have hundreds and even thousands of databases. “Multiply a thousand by two dozen accounts, that’s a lot of checks that you need to run and if you don’t have an automated way to do that, you’ll probably never get it done.”

Staff writer Doug Beizer can be reached at dbeizer@1105govinfo.com.
WASHINGTONTECHNOLOGY LATEST NEWS GCN.COM FCW.COM
TOP JOBS FROM LOCAL EMPLOYERS
All Top Jobs

Home | About | Advertise | Contact | Custom Media | Editorial Calendar | Events
List Rental | Privacy Policy | Reprints/Linking Policy | Subscribe | Site Map

1105 Media, Inc.

© 1996-2008 1105 Media, Inc. All Rights Reserved.