1 / 4

Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey

Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data Center February 2007. Secure Application Design and Implementation. Consider security from the start Treat security as integral part of overall system design

brook
Download Presentation

Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data Center February 2007 http://www.nodc.noaa.gov/sog

  2. Secure Application Design and Implementation • Consider security from the start • Treat security as integral part of overall system design • Difficult and costly to add security after implementation • Applications must be audited before deployment • Standard practice at NODC and NESDIS • Required by Certification and Accreditation (CnA) • Engineer for Simplicity, Reusability, and Modularity • Remove redundancies http://www.nodc.noaa.gov/sog

  3. Follow Standard Practices • NIST Special Publication 800-27A • Engineering Principles for Information Technology Security (A Baseline for Achieving Security) • NIST Special Publication 800-53 • Recommended Security Controls for Federal Information Systems • Developer Standard Practice • Check all inputs for validity • Prevent input from being interpreted as commands • Buffer overflows, format string errors • Perform peer code reviews http://www.nodc.noaa.gov/sog

  4. Process Improvement • How to speed things up? • Perform internal security audits • Include audit history in documentation • Include results of any external audits • How to improve the product? • Use standard library to check all user inputs • Separate user interface from internals • Achieved with OLFS - BES split? http://www.nodc.noaa.gov/sog

More Related