During the build of the Objective Simulation Framework (OSF), the client’s most comprehensive modeling simulation, there was a requirement for a high level assurance of the security of the code. Because the OSF simulates the full scope of operations of the Ballistic Missile Defense System (BMDS), the code base was extremely large and included older, legacy coding languages which can’t be scanned using commercial software scanning tools.
Sentar’s solution to the problem was two-fold, encompassing both process and technology. On the process side, we integrated security testing early in the development lifecycle so that scans (and mitigation of any found vulnerabilities) were part of the AGILE/SCRUM cycles – an acceptance criteria for builds. On the technology side, we developed veriScan with an intuitive user interface, making it easy-to-use for both developers and analysts with minimal training. Also, friendly to developers, veriScan can be set to scan across iterative stages of development. This allows a developer to use veriScan regularly during the process, and focus scans only on the new or changed code. A variety of scanning tools were built-in “under the hood” to accommodate multiple languages, and we provide an aggregated analysis and impact assessment of vulnerabilities identified. Finally, due to a large legacy code-base in Fortran (and lack of commercial scanning options), Sentar developed and implemented a Fortran scanner. All scans in veriScan provide the analyst with mapping to the Common Weakness Enumeration (CWE) and the Development Security Technical Implementation Guide (STIG).
The Mission Impact:
• Reduced Development Timeline: The integrated use of veriScan across the OSF project reduced the development timeline by 20%.
• Stronger Security Posture: Developers were able to spend less time analyzing false positives, and more time reinforcing the code to better serve and protect the Ballistic Missile Defense System (BMDS). The deliverable product was able to achieve its Authority to Operate (ATO) quickly.