By Joe Jarzombek, Director for Government, Aerospace & Defense Programs
Inside the satellites, aircraft, and navigation systems that support aerospace and defense programs is a network of complex software and semiconductors. While security is a key consideration in the civilian versions of these applications, it is imperative for designs that impact our national security.
Demand for more secure software and rapid application development has led to the emergence of risk-based DevSecOps, which adds security activities, increases depth, and improves testing governance. By shifting left from a reactive to proactive security approach and applying autonomous testing, developers can incorporate security at the right time and place. Indeed, proven application security tools integrated within a supporting CI/CD toolchain can minimize the time and effort needed to achieve authorization for changes in software to operate on a Department of Defense network or weapon system. Let’s take a closer look at why developers don’t need to be security experts to catch and resolve defects in aerospace and defense applications.
Modern applications are a technology stack that introduce complexity:
This structure is challenging for many software developers, as security risks have shifted away from the network. Research reveals that 84% of breaches originate at the application layer. So why are organizations spending more time and resources on the network than on the application?
Today’s software development calls for more of everything: more code, complexity, velocity, and, unfortunately, risk. This creates challenges for development teams for a variety of potential reasons:
Step back and consider how applications are built. Assess how developers can produce code with fewer defects and security weaknesses—and without slowing down. Evaluate ways to track and manage open-source use, along with the security and license compliance risks that come with this. Look at whether you’ve addressed exploitable weaknesses, vulnerabilities, and data protection issues before deployment.
A shift-left approach that accelerates collaboration between development and security organizations is what’s needed today to truly safeguard the application level against attacks. Speed is driving change in the software development process. As such, security practices need to align with this speed by being incorporated across the software development lifecycle (SDLC) from start to finish. According to Gartner, DevSecOps practices will be embedded in 80% of rapid development teams by 2021. Such practices should encourage higher speed, lower cost, reduced friction, and continuous feedback.
As an organization moves toward embracing DevSecOps practices, there are some technologies that can support this process shift. Static application security testing (SAST) and software composition analysis (SCA) can help developers deliver high-quality and more secure codebases at the front end of the pipeline. Dynamic analysis tools test running applications to uncover vulnerable behavior. Plus, using Code Sight in DevSecOps is like providing a spell-checker for software security. Let tools loaded with ‘security domain’ checkers under-the-hood do the work, leaving engineers to primarily tackle findings as part of typical defect management.
In its software security and quality portfolio, Synopsys provides these types of testing tools via its Polaris Software Integrity Platform™, an integrated application security toolset that equips security and development teams to build secure, high-quality software faster. For the fourth consecutive year, Gartner has named Synopsys a leader in its Magic Quadrant for Application Security Testing (AST), with a position that is the highest and furthest right in the Leaders Quadrant. Along with software security, Synopsys also provides the aerospace and defense industry with software development, silicon design, and optical solutions to help manage risk, cost, and compliance requirements. The top aerospace and defense semiconductor companies use Synopsys solutions for:
By aligning DevSecOps with risk management strategies supported by our comprehensive portfolio of tools for aerospace and defense applications, organizations can create solutions that meet national security demands.
For a deeper dive into this topic, watch the webinar, “Shifting Left to Accelerate Security Approvals for ATOs in Defense Programs.” Arming DevSecOps teams with proven application security tools integrated within their supporting test regimes and processes reduces the time and effort needed to address risks attributable to exploitable software in DoD networks and weapon systems:
Take advantage of other resources available to help you gain a better understanding of security solutions for microelectronics and software for aerospace and defense programs.