40 likes | 183 Views
Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data Center February 2007. Secure Application Design and Implementation. Consider security from the start Treat security as integral part of overall system design
E N D
Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data Center February 2007 http://www.nodc.noaa.gov/sog
Secure Application Design and Implementation • Consider security from the start • Treat security as integral part of overall system design • Difficult and costly to add security after implementation • Applications must be audited before deployment • Standard practice at NODC and NESDIS • Required by Certification and Accreditation (CnA) • Engineer for Simplicity, Reusability, and Modularity • Remove redundancies http://www.nodc.noaa.gov/sog
Follow Standard Practices • NIST Special Publication 800-27A • Engineering Principles for Information Technology Security (A Baseline for Achieving Security) • NIST Special Publication 800-53 • Recommended Security Controls for Federal Information Systems • Developer Standard Practice • Check all inputs for validity • Prevent input from being interpreted as commands • Buffer overflows, format string errors • Perform peer code reviews http://www.nodc.noaa.gov/sog
Process Improvement • How to speed things up? • Perform internal security audits • Include audit history in documentation • Include results of any external audits • How to improve the product? • Use standard library to check all user inputs • Separate user interface from internals • Achieved with OLFS - BES split? http://www.nodc.noaa.gov/sog