Feb 2007 http://www.nodc.noaa.gov/sog 1 Software Development Software Development and IT Security and IT Security at NOAA/NESDIS/NODC at NOAA/NESDIS/NODC John Relph and Ken Casey John Relph and Ken Casey NOAA National Oceanographic Data Center NOAA National Oceanographic Data Center February 2007 February 2007

Feb 2007 1 Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data

Download PPT Report

Upload
jared-caldwell
View
215
Download
2

Embed Size (px)

Citation preview

Page 1: Feb 2007 1 Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data

Feb 2007 http://www.nodc.noaa.gov/sog 1

Software Development Software Development and IT Security and IT Security

at NOAA/NESDIS/NODCat NOAA/NESDIS/NODC

John Relph and Ken CaseyJohn Relph and Ken CaseyNOAA National Oceanographic Data CenterNOAA National Oceanographic Data Center

February 2007February 2007

Page 2: Feb 2007 1 Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data

Feb 2007 http://www.nodc.noaa.gov/sog 2

Secure Application Design and Implementation

Consider security from the startConsider security from the start- Treat security as integral part of overall system designTreat security as integral part of overall system design- Difficult and costly to add security Difficult and costly to add security afterafter implementation implementation

Applications must be audited before Applications must be audited before deploymentdeployment- Standard practice at NODC and NESDISStandard practice at NODC and NESDIS- Required by Certification and Accreditation (CnA)Required by Certification and Accreditation (CnA)

Engineer for Simplicity, Reusability, and Engineer for Simplicity, Reusability, and ModularityModularity- Remove redundanciesRemove redundancies

Page 3: Feb 2007 1 Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data

Feb 2007 http://www.nodc.noaa.gov/sog 3

Follow Standard Practices

NIST Special Publication 800-27ANIST Special Publication 800-27A- Engineering Principles for Information Technology Engineering Principles for Information Technology

Security (A Baseline for Achieving Security)Security (A Baseline for Achieving Security)

NIST Special Publication 800-53NIST Special Publication 800-53- Recommended Security Controls for Federal Recommended Security Controls for Federal

Information SystemsInformation Systems

Developer Standard PracticeDeveloper Standard Practice- Check all inputs for validityCheck all inputs for validity- Prevent input from being interpreted as commandsPrevent input from being interpreted as commands- Buffer overflows, format string errorsBuffer overflows, format string errors- Perform peer code reviewsPerform peer code reviews

Page 4: Feb 2007 1 Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data

Feb 2007 http://www.nodc.noaa.gov/sog 4

Process Improvement

How to speed things up?How to speed things up?- Perform internal security auditsPerform internal security audits- Include audit history in documentationInclude audit history in documentation- Include results of any external auditsInclude results of any external audits

How to improve the product?How to improve the product?- Use standard library to check all user inputsUse standard library to check all user inputs- Separate user interface from internalsSeparate user interface from internals

• Achieved with OLFS - BES split?Achieved with OLFS - BES split?