The 2013 National Defense Authorization Act (NDAA), signed into law by President Obama on January 2, features new provisions governing software procurement, including a requirement calling for the use of automated source code analysis tools during the development process. Under the law’s Section 933, the under secretary of defense for acquisition, technology and logistics, in conjunction with the chief information officer of the Department of Defense (DOD), have been tasked with developing a baseline software assurance policy covering the entire lifecycle of systems adopted by DOD.
The law mandates that the baseline software assurance policy “require use of appropriate automated vulnerability analysis tools in computer software code during the entire lifecycle of a covered system, including during development, operational testing, operations and sustainment phases and retirement.” Covered systems include major DOD critical information and weapons systems. Vendors will also be required to identify security vulnerabilities, prioritize them according to risk and determine strategies for handling them. The policy will require remediation strategies to be built into contract requirements and the product evaluation process, and it will also be expected to “promote best practices and standards to achieve software security, assurance and quality” while supporting a flexible approach toward software development methodologies.
In addition to developing a baseline policy, officials have been tasked with preparing a research and development strategy for improving vulnerability detection tools and proposals for how the Pentagon might hold contractors liable for software defects and vulnerabilities. This information, along with an explanation of state-of-the-art source code analysis techniques, will be included as part of a congressional briefing to take place within the year.
A growing concern
The software assurance policy requirements are just one component of a larger cybersecurity focus in the current NDAA, which also includes provisions for network security and quarterly “cyber operations briefings.” Government agencies such as the Department of Homeland Security (DHS) and the Defense Advanced Research Projects Agency (DARPA) have warned of growing cybersecurity risks. DARPA researchers recently announced fears of “pervasive vulnerabilities” in the embedded software of military tools such as drones, while DHS has advocated for improved security practices across a range of industries.
In 2011, the agency released a scoring guide for developers to evaluate software security during the coding process. At the time, DHS noted that organizations of all types are increasingly holding developers and vendors accountable for software defects, placing the responsibility for catching vulnerabilities during the development lifecycle. As DOD procurement policies are revised to require the use of automated vulnerability detection tools and to potentially increase vendor liability for system flaws, building best practices for catching errors into the development process will become even more important. Organizations and vendors can look to adopt tools such as static analysis software to comply with forthcoming DOD policy changes and guarantee their software meets industry expectations.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.