From Silicon To Software

 

How Shifting Security Left Enables More Robust Defense Applications

Software Security for Defense Applications

By Joe Jarzombek, Director for Government, Aerospace & Defense Programs

Inside the satellites, aircraft, and navigation systems that support aerospace and defense programs is a network of complex software and semiconductors. While security is a key consideration in the civilian versions of these applications, it is imperative for designs that impact our national security.

Demand for more secure software and rapid application development has led to the emergence of risk-based DevSecOps, which adds security activities, increases depth, and improves testing governance. By shifting left from a reactive to proactive security approach and applying autonomous testing, developers can incorporate security at the right time and place. Indeed, proven application security tools integrated within a supporting CI/CD toolchain can minimize the time and effort needed to achieve authorization for changes in software to operate on a Department of Defense network or weapon system. Let’s take a closer look at why developers don’t need to be security experts to catch and resolve defects in aerospace and defense applications.

Most Security Breaches Hit the Application Layer, Not the Network

Modern applications are a technology stack that introduce complexity:

  1. The unit level, including code documentation, class or program design, and expression complexity
  2. The technology level, involving the intra-technology architecture, intra-layer dependences, inter-program invocation (and associated security vulnerabilities and weaknesses)
  3. The system level, involving architectural compliance, integration quality, risk propagation, and application security

This structure is challenging for many software developers, as security risks have shifted away from the network. Research reveals that 84% of breaches originate at the application layer. So why are organizations spending more time and resources on the network than on the application?

Today’s software development calls for more of everything: more code, complexity, velocity, and, unfortunately, risk. This creates challenges for development teams for a variety of potential reasons:

  • Scanners find bugs but don’t prevent them
  • Developer guidance is not easily available
  • Developers are rarely security experts
  • The balance between security vs. functionality vs. schedule vs. risk

Step back and consider how applications are built. Assess how developers can produce code with fewer defects and security weaknesses—and without slowing down. Evaluate ways to track and manage open-source use, along with the security and license compliance risks that come with this. Look at whether you’ve addressed exploitable weaknesses, vulnerabilities, and data protection issues before deployment.

Application Security and Development Speed Can Co-Exist

A shift-left approach that accelerates collaboration between development and security organizations is what’s needed today to truly safeguard the application level against attacks. Speed is driving change in the software development process. As such, security practices need to align with this speed by being incorporated across the software development lifecycle (SDLC) from start to finish. According to Gartner, DevSecOps practices will be embedded in 80% of rapid development teams by 2021. Such practices should encourage higher speed, lower cost, reduced friction, and continuous feedback.

As an organization moves toward embracing DevSecOps practices, there are some technologies that can support this process shift. Static application security testing (SAST) and software composition analysis (SCA) can help developers deliver high-quality and more secure codebases at the front end of the pipeline. Dynamic analysis tools test running applications to uncover vulnerable behavior.  Plus, using Code Sight in DevSecOps is like providing a spell-checker for software security.  Let tools loaded with ‘security domain’ checkers under-the-hood do the work, leaving engineers to primarily tackle findings as part of typical defect management.

In its software security and quality portfolio, Synopsys provides these types of testing tools via its Polaris Software Integrity Platform™, an integrated application security toolset that equips security and development teams to build secure, high-quality software faster. For the fourth consecutive year, Gartner has named Synopsys a leader in its Magic Quadrant for Application Security Testing (AST), with a position that is the highest and furthest right in the Leaders Quadrant. Along with software security, Synopsys also provides the aerospace and defense industry with software development, silicon design, and optical solutions to help manage risk, cost, and compliance requirements. The top aerospace and defense semiconductor companies use Synopsys solutions for:

  • A broad range of software development tools and services, which allow security and quality to be built in at the beginning
  • Industry-leading design, verification, and test solutions that foster on-time delivery of reliable SoCs and FPGA-based designs
  • High-quality, silicon-proven IP and subsystems that reduce risk and accelerate development schedules
  • Access to 50 years of experience delivering innovative optical design and analysis software that helps meet specifications and minimize costs
  • A comprehensive solution for integrating security and quality into the SDLC and supply chain for early detection and remediation of software defects and vulnerabilities

By aligning DevSecOps with risk management strategies supported by our comprehensive portfolio of tools for aerospace and defense applications, organizations can create solutions that meet national security demands.

Learn More

For a deeper dive into this topic, watch the webinar, “Shifting Left to Accelerate Security Approvals for ATOs in Defense Programs.” Arming DevSecOps teams with proven application security tools integrated within their supporting test regimes and processes reduces the time and effort needed to address risks attributable to exploitable software in DoD networks and weapon systems:

  • Software application security testing in DevSecOps aligns well with changes in DoD guidance
  • Automated testing provides efficiencies throughout software lifecycle at tactically relevant speeds
  • DevSecOps team members don’t need to be security experts: Using tools with security checkers ‘under the hood’ enables catching security defects; like using a spell-checker to drive savings in time and resources while rapidly mitigating risks attributable to exploitable software
  • DevSecOps specialists need to have means to address pervasiveness of open-source software
  • DevSecOps teams need to use a variety of application security test tools to responsively scale to changes in software update/release cycles
  • Integrated reporting of exploitable software, both in terms of weaknesses and vulnerabilities, with prioritization of technical risks, better enables informed test and approval processes

Take advantage of other resources available to help you gain a better understanding of security solutions for microelectronics and software for aerospace and defense programs.