New center seeks to shield vital military applications from evolving threats.
Key U.S. Defense Department command and control and logistics applications are vulnerable to new types of cyberspace attacks. The U.S. Air Force’s Application Software Assurance Center of Excellence (ASACE) seeks to assess mission-critical applications for vulnerabilities and to correct them when they are detected.
Cyberspace is the latest realm that the U.S. Defense Department is seeking to dominate in its efforts to protect national security and to project force. But this goal has not gone unchallenged as hackers from a variety of nations and criminal and terrorist organizations have tried to penetrate government networks to steal information or cause damage.
The Defense Department has become adept at protecting its network perimeters with firewalls and intrusion detection systems. However, in recent years, hackers have found ways to access government networks through weaknesses in existing applications such as logistics or command and control systems. To counter these threats, the U.S. Air Force recently launched the Application Software Assurance Center of Excellence (ASACE) to assess and strengthen its defenses against internal attack.
The ASACE is part of the Air Force’s 754th Electronic Systems Group (ELSG), Maxwell Air Force Base–Gunter Annex,
“We need to secure the work of the net in addition to the network,” explains Garcia. He notes that there are many specialists who secure networks with first-tier perimeter defenses, but he adds that network-centric environments benefit from second-tier security work on applications. The ELSG began assessing its software capabilities based on these criteria. The 754th hosts many of the core combat support applications that drive the Air Force’s and the Defense Department’s abilities to execute operations. “It was an awakening. We’ve got to spend time and resources focusing on the applications assurance side of our business,” he says.
Telecommunications industry analysts such as the Gartner Group also identified the emergence of application-level attacks in recent years. Garcia cites Gartner research indicating that 75 percent of hacking attacks occur at the application level. “It drove us to redouble our efforts and focus not on network security but on security that works in the net,” he shares.
The need to meet these security requirements led to the formation of the ASACE. Garcia notes that the center’s main objective is to ensure that the Air Force can conduct cyberspace operations. “Our applications are really where that [operations] happens, and that’s why we want to make sure they’re secure and able to do the things that they’re supposed to do,” he says.
The center stood up in late October 2007 officially with the award of a two-year contract to the Xacta Corporation,
Garcia notes that the security posture of the Web differs from that of network environments. Commonly available hacking tools can be downloaded from the Web for use against applications. Besides widely distributed hacking tools, other major threats include broken authentication cycles, cross-site scripting and Structured Query Language (SQL) injection. “We want to make sure people understand the implications of being in a Web-centric environment and the unique threats that are exposed in that environment,” Garcia adds.
Ronald Dorman, vice president for information assurance solutions for Telos Corporation, says that the Air Force has focused its security at the network layer with firewalls and intrusion detection systems. Xacta Corporation is Telos’ subsidiary for security solutions. Dorman notes that the Defense Department has done a good job of securing its perimeters. However, hackers now employ tactics that can penetrate the outer perimeter. For example, a cross-scripting attack places malicious code at a Web site frequented by Air Force personnel. When users access a document or another object assumed to be safe from the site, they download the code onto their computer. The malicious code then seeks out vulnerabilities in the application.
In national security applications, if critical supplies, equipment or time-sensitive information can be misrouted, it may give an adversary a vital advantage during a conflict. For example, if an adversary causes a shipment of engine turbine blades to be sent to the wrong base, the delay in receiving the parts that this causes may prevent vital missions from being carried out. Even a brief delay in operations could provide the enemy with a needed pause in combat. Garcia points out that in a global mission environment, the ability to make an adversary pause before making a decision is an asset in the Defense Department’s time-critical targeting goals.
Xacta maintains a 12-person onsite team that is working with Air Force personnel to help stand up the center and train ASACE staff in the basics of securing applications and conducting assessments. Dorman shares that the center is forming smaller teams to perform assessments throughout the Air Force. “It’s a combination of standing up the processes and procedures so things are repeatable in the ELSG and then going out to some of the Air Force program offices and performing assessments of the software,” he adds.
The software tool used to conduct onsite analysis is the Fortify Source Code Analysis tool. This software application analyzes source code and highlights vulnerabilities that are present as well as any security architecture flaws. “It really gives the analyst a pointer as to where to look in the code for things that need to be fixed,” Dorman says.
Another tool the Xacta and Air Force teams are using is an IBM/Watchfire-developed program called AppScan. This is a Web-based penetration tool that examines Air Force applications for vulnerabilities in the source code. Dorman adds that the IBM and Fortify tools are interoperable so that flaws detected by one set of tests can be linked to repairs with the other software application.
Planning is underway to put some scanning and assessment tools into an operational environment. The key tool for this purpose is Application Security’s AppRadar. Dorman explains that this tool scans an application and provides the team with information about which programs are most vulnerable, allowing priorities to be established for the assessment process.
When weaknesses in an application are detected, the Fortify Defender tool is used to shield the application. This software protects an application from hackers and malicious inside attacks until patches can be written in the application source code.
The center has formed four teams that are focused on combat support and command and control applications within the ELSG. The center will send its toolsets to Air Force application program staff. The teams will conduct assessments and then teach the application staff to conduct their own assessments. “We have numerous applications that are fielded. The vision of the center is to start with what’s fielded, and then we’ll work toward what we will be acquiring or developing,” says Garcia.
The center will not issue approvals or citations for application software. Garcia explains that the offices owning the applications will be responsible for delivering agreements or requirements to their user communities. “We just want to assist them in helping them deliver that required capability,” he says.
The ASACE seeks to partner with Air Force programs and so transfers to them responsibility for delivering applications to their requirements set. But Garcia says he wants to enable program offices to use the right tools to make sure that application delivery is done cost-efficiently and securely. The center currently supports six to nine applications within the ELSG. Garcia hopes to begin looking outside his specific wing to support other programs’ applications over the next two to four months.
Besides supporting critical enterprise applications in the Air Force, the center is involved in several governmentwide initiatives. One effort is the Air Force Standard Desktop Configuration. This is a best practice that is conforming every desktop computer to a standard set of applications. The arrangement helps the service reduce the time it takes to install software patches. Garcia explains that previously when Air Force computers were not standardized, it took up to 57 days to implement patches across the service. The Standard Desktop Configuration effort shortened the implementation time to three days, and he notes that the current goal is to further reduce the installation time to one day.
The federal government adopted the Standard Desktop Configuration as a federal best practice. The U.S. Office of Personnel Management has pushed the configuration as a requirement for all agencies to develop a standard desktop configuration concept and implementation. “This will help us secure the desktop with no applications, no configuration, and it reduces the time to remediate those developments that occur,” Garcia says.
Another federal initiative focuses on the data security of mobile devices. The center conducted a data-at-rest acquisition that, Garcia notes, was the first time an enterprise software initiative was made available to state and local governments. The contract provides encryption capabilities allowing mobile devices to meet the Defense Department’s goal to secure unclassified data on mobile computing and storage devices. This initiative targets laptop computers, personal digital assistants, portable storage media and trusted platform modules. The contract was awarded in June 2007.