Air Force Flies Toward Web Application Security

Many of the U.S. Air Force’s mission-critical logistics applications, such as its cargo scheduling software, were developed to be used in a closed network environment. But now that the U.S. military is shifting toward greater use of the Internet, there’s heightened concern about making sure Web-based applications don’t get shot down from hackers exploiting software flaws.

“The Department of Defense and the Air Force are moving to a more ’Net-centric approach,” says Greg Garcia, member of the Senior Executive Service of the U.S. Air Force and Director of the 754th Electronic Systems Group (ESG) based at Maxwell Air Force Base at Gunter Annex, Ala. “Many of our applications in the past were built to be on closed networks. But now we’re being more Web-focused and using commercial-off-the-shelf software to a greater degree.”

This transition is raising concern in military circles that there will be break-in attempts, such as using SQL injection attacks, cross-site scripting or other assault methods to try to throw Web-based logistics systems into disarray.

To defend against that, one step the Air Force is taking is to establish the USAF Application Software Assurance Center of Excellence to define “application security best practices,” Garcia says.

The USAF Application Software Assurance Center, managed by the 754th ESG, will focus on source-code analysis, penetration testing, application shielding and database monitoring procedures.

The 754th ESG also intends to work closely with the 554th ESG responsible for testing IT systems used in combat support. Others responsible for military technology, including the National Security Agency and the Defense Information Systems Agency, are also partners in the project.

Security vendors are being drafted for the project. Cigital, Fortify, Watchfire (acquired by IBM), and Application Security have been tapped under a contract awarded to Telos to help set up the Application Software Assurance Center of Excellence at Maxwell AFB. The two-year award, placed under the larger NETCENTS contract, is valued at a minimum of $10.2 million and a maximum of up to $75 million to provide application-level security products and services.

Garcia says he anticipates a phased plan that will begin with procedures such as analyzing source code for vulnerabilities or wrapping Fortify’s Defender shield around software to protect application code.

As the Air Force gains more experience with these application-security tools and processes, Garcia says, the decision may be made at a future date to craft specific standards that could require software evaluation by the Air Force in this way.

“As we get more success in this area, we’ll make an assessment,” Garcia says. He notes that the 754th ESG had played a role in the past in contributing to technology policies for the Air Force, such as an architecture for wireless use. The 754th is also where the Air Force enterprise-wide license with Microsoft for the desktop is administered, with about 500,000 desktop computers using the Air Force security configuration.

Garcia says he expects the Application Software Assurance Center of Excellence would be sharing its experiences over time with other military and civilian agencies in the federal government.

By Ellen Messmer, Network World (US)