Federal Software Scrubs Mobile Apps
A DHS tool automatically tests and vets
government mobile device code prior to release.
A new software tool allows federal agencies to scan mobile device applications for security and accessibility issues prior to publishing them. The automated process allows developers to check their code rapidly against a variety of government guidelines to ensure that new mobile applications keep personnel and their organizations safe from hacking and other malicious outside threats.
Developed by the Department of Homeland Security (DHS), the CarWash tool helps users by expediting the applications development process from concept to deployment to discover vulnerabilities before release. This platform-agnostic analysis and vetting software permits the automated testing of mobile applications against a series of security guidelines. According to the DHS, developers and vendors submit their software code to the tool, which then runs through a testing cycle to ensure compliance and checks for security and accessibility flaws. Like its car-cleaning namesake, the tool automatically runs code through and looks for flaws. The results of each cycle are displayed on a user dashboard that allows developers to review how their code scored against the department’s accessibility and security measures.
Besides security, an important measure is compliance with Section 508 of the Workforce Rehabilitation Act, which requires all federally developed electronic information to be accessible to people with disabilities. If the application meets DHS guidelines, the agencies can publish it. If not, they can make changes based on the dashboard’s recommendations and restart the cycle.
According to DHS officials, CarWash allows agencies to reuse or “piggyback” on work done by other agencies, and it helps the DHS directly support the Obama administration’s digital government strategy. CarWash is also part of a larger effort by the DHS to embrace open source software to save on information technology-related costs, explains Greg Capella, deputy executive director for enterprise systems development, Office of the DHS chief information officer. The department is using open source software internally for its servers and for mobile applications, Capella said at the Red Hat Government Symposium in Washington D.C., in November.
CarWash began as a pilot program at the DHS, but the broader goal was to make it available to the entire federal government, Capella says. CarWash works by running a series of tests on any potential mobile application that might be used by the DHS. For example, Android or iOS applications would be analyzed for good coding practices. CarWash looks for security holes such as SQL injections or other flaws that might be exploited, he says.
The tool also determines if the most current version of a product is being used. CarWash provides agencies with a series of automated tests and produces feedback as to whether or not the organization has done a good job of coding a particular application, Capella explains. “It gives you everything from coding best practices all the way to security, [section] 508 and other compliance checks,” he says.
“This is one of the ways we want to tune up the way we’re using open source,” Capella adds. But the challenge is not to introduce security holes or other issues while the DHS is trying to make use of these open source mobile platforms. While the program was in the early pilot phase, he notes, CarWash was presented to the federal Chief Information Officers (CIO) Council for its consideration and approval.
CarWash is hosted in the DHS public cloud. It was developed by the DHS in collaboration with the General Services Administration (GSA), the Department of Justice (DOJ), the Census Bureau and private-sector partners. Department officials add that the tool’s development team is working with a number of partners, including DHS Public Affairs, the Transportation Security Administration, the Federal Emergency Management Agency, the Bureau of Customs and Border Protection, the DOJ, the GSA, the Census Bureau and the Social Security Administration.
While it was developing and piloting CarWash, the DHS began a dialogue with vendors about security issues on products and how the tool could best detect them, Capella says. Vendors participated by demonstrating how they could add additional value and security to the code they provide to the DHS and other federal agencies. For example, he notes, one vendor specifically focused on examining modules within the application’s code. In this case, it was not simply buying a single open source product—there are objects inside a product that can come from sources that could be security risks. He adds that this particular vendor pointed out that there are pieces of code in a software release that may or may not be the most correct for an agency’s mobile application.
Capella is pleased that the vendor community is working to help the DHS and other federal agencies on mobile device security. This is especially important when dealing with open source software, where various modules can come together to form larger components within the environment. An important part of CarWash is to help facilitate the sharing of software modules between agencies to rapidly piece together mobile applications. However, these “greater wholes” can be potential trouble if they are not analyzed and vetted, he adds.
The DHS uses open source software for its public-facing clouds. Capella notes that the department is migrating almost entirely to open source for its public websites. While this move has been very valuable and cost-effective for the agency, it adds security challenges because these products have seams in their security protocols that do not necessarily overlap. “You rarely have a suite that runs the full gamut [of security protocols],” he explains.
It is in this area where the most friction concerning usability and security issues exists, but Capella adds that overall the department is very pleased with using open source software and the options that it provides. Open source allows different software tools to be inserted and swapped rapidly to meet new needs over time. “We’re not locked in as we might be with a closed ecosystem, which we prefer. And we certainly prefer the price point,” he says.
The DHS also is looking at additional governance tools for mobile applications. Capella notes that the department wants to keep mobile device security as tightly locked down as possible. An important part of this process is ensuring that applications are delivered in a highly secure manner. The department is looking at iOS, which might be more secure in some ways than Android, because of its openness. “Overall, that is our intent, to deploy solutions that support digital government and make accessible more data for the community,” he says.
To support this, the DHS wants to bring in more small applications development firms to write software for the government. This is where tools such as CarWash are necessary to vet these applications and to ensure that they do not have Trojan horses or other software issues in them, Capella maintains.
The DHS runs 13 separate clouds, Capella says. Three of these clouds are public-facing, and one of these three is still in the process of being deployed, he adds. The DHS is using a number of management tools to help run these clouds. Department administrators use several open source configuration management tools to help with billing and other routine operations. However, the software composition of the clouds varies, with the external clouds being mostly open source, while the internal clouds are a mixture of both. Capella notes that the blending of open source and proprietary software does not cause many configuration issues.
Additionally, the department relies on legacy applications that may not interact well with open source systems. Because rebuilding these older applications would be prohibitive or impossible, there needs to be an environment for them to operate in, he explains. The department has modified them wherever possible to operate with other systems, but some of these applications “have painted themselves into corners” and cannot operate with other, newer software or middleware. “We have some old software that just can’t be patched without breaking the application,” he says.
CarWash is part of a broader DHS effort to create a common operating environment hosting a ubiquitous information technology platform that could be upgraded easily without the need for major development or modifications. DHS officials note the department is constructing a Web interface that will allow federal agencies to buy vetted cloud computing services. The purchases will be made via a Web interface designed to promote the rapid development and deployment of Web and mobile services, officials say. “We find open source works for us, both for security, [Section] 508 and other compliance and we intend to continue to push in that direction,” Capella states.