Upload
jared-caldwell
View
215
Download
2
Embed Size (px)
Citation preview
Feb 2007 http://www.nodc.noaa.gov/sog 1
Software Development Software Development and IT Security and IT Security
at NOAA/NESDIS/NODCat NOAA/NESDIS/NODC
John Relph and Ken CaseyJohn Relph and Ken CaseyNOAA National Oceanographic Data CenterNOAA National Oceanographic Data Center
February 2007February 2007
Feb 2007 http://www.nodc.noaa.gov/sog 2
Secure Application Design and Implementation
Consider security from the startConsider security from the start- Treat security as integral part of overall system designTreat security as integral part of overall system design- Difficult and costly to add security Difficult and costly to add security afterafter implementation implementation
Applications must be audited before Applications must be audited before deploymentdeployment- Standard practice at NODC and NESDISStandard practice at NODC and NESDIS- Required by Certification and Accreditation (CnA)Required by Certification and Accreditation (CnA)
Engineer for Simplicity, Reusability, and Engineer for Simplicity, Reusability, and ModularityModularity- Remove redundanciesRemove redundancies
Feb 2007 http://www.nodc.noaa.gov/sog 3
Follow Standard Practices
NIST Special Publication 800-27ANIST Special Publication 800-27A- Engineering Principles for Information Technology Engineering Principles for Information Technology
Security (A Baseline for Achieving Security)Security (A Baseline for Achieving Security)
NIST Special Publication 800-53NIST Special Publication 800-53- Recommended Security Controls for Federal Recommended Security Controls for Federal
Information SystemsInformation Systems
Developer Standard PracticeDeveloper Standard Practice- Check all inputs for validityCheck all inputs for validity- Prevent input from being interpreted as commandsPrevent input from being interpreted as commands- Buffer overflows, format string errorsBuffer overflows, format string errors- Perform peer code reviewsPerform peer code reviews
Feb 2007 http://www.nodc.noaa.gov/sog 4
Process Improvement
How to speed things up?How to speed things up?- Perform internal security auditsPerform internal security audits- Include audit history in documentationInclude audit history in documentation- Include results of any external auditsInclude results of any external audits
How to improve the product?How to improve the product?- Use standard library to check all user inputsUse standard library to check all user inputs- Separate user interface from internalsSeparate user interface from internals
• Achieved with OLFS - BES split?Achieved with OLFS - BES split?