Air Force tests baked-in software security
Connecting state and local government leaders
The AOC Pathfinder project leverages agile development to ensure that the software is automatically certified.
To counter the growing sophistication of enemy hackers, the Air Force has embraced agile software development, testing and deployment processes.
Since cancelling the Air Operations Center (AOC) 10.2 contract with Northrup Grumman in July 2017, the Air Force has been adopting practices from Silicon Valley to improve software development. The AOC Pathfinder project, which aims to speed delivery of AOC weapon systems capabilities to the warfighter, takes advantage of automated builds multiple times a day, fuzzing and automated testing, according to Air Force Cyberspace Innovation Director Lauren Knausenberger.
“We are looking at redefining the way that we develop software in the government and how you bake security into the process so it is not an afterthought,” Knausenberger said at the Feb. 27 AFCEA Cybersecurity Technology Summit. “We are pushing toward proofs that have results -- where you might see language to fix vulnerabilities in 10 days or red teams and pen testing.”
Through the first two rounds of Hack the Air Force bug bounty program, hackers identified previously unknown vulnerabilities for cash. Air Force Chief Information Security Officer Peter Kim said the program was “enlightening” because it surfaced hidden problems and showed how to fix them.
The Air Force’s current certification process is part of the problem, Kim said, as it can be burdensome for coders who must check software packages.
“Every time you create a widget, you need to build a huge certification package that causes people pain and suffering and lots of sorrow,” Kim said. “It is hundreds of pages thick, and they need to do all of these controls … [which doesn’t work] in the modern age.”
AOC Pathfinder is creating a new process to develop code. “Our goal in the near term is to certify the AOC software factory so everything coming out is automatically certified," Knausenberger said. "We are pushing the proof toward the results.”
NEXT STORY: As IoT use ramps up, so do attacks on networks