Friday, September 18, 2009

Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0

Abstract: The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document.

This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public.

Note: The Federal CIO Council does not endorse the use or imply preference for any vendor commercial products or services mentioned in this document.
Guidelines for Secure Use of Social Media by Federal Departments and Agencies

Wednesday, September 9, 2009

IBM and the Grand Slams

IBM helps run the biggest tennis events in the world...The Grand Slams. Find out how we help.

Wednesday, September 2, 2009

Automating code reviews by integrating Rational Software Analyzer with Team Concert

This demo will provide a brief overview of how organizations can automate their code quality reviews and processes by leveraging Rational Software Analyzer with Rational Team Concert. In this demonstration I will customize the pre-conditions for delivering source code by adding a Software Analyzer rule in Team Concert, show how that rule works when a developer is delivering code and finally how to generate a Team Concert work item so the issue can be resolved.

Opening the Black Box: A Source Code Security Analysis Case Study

Originating Page

While businesses often understand the importance of maintaining secure applications, most companies have no idea whether their code is vulnerable or not. Applications have generally been accepted and deployed with no insight into their potential security impact, opening the floodgates for billions of dolars spent on patching systems, preventative technologies, and security services designed to protect against the compromise of flawed software.

We respectfully argue that the first step in assuring applications are secure is to open the black box; to look deep into the source code and identify the security vulnerabilities, design flaws, and policy violations that expose systems to attack. Peering even deeper, this process leads to the organizational root causes of the vulnerabilities, which can be addressed with an application security initiative to improve people and teams, policies and processes, and the technology supporting better software security.

Download the Entire Case Study (No Registration Required)

Maximum Speed, Accuracy & Flexibility with Ounce give the U.S. Navy the 'Wave' of Security Needed

Originating Page


Security leaders in the U.S. Navy and researchers at the Johns Hopkins University Applied Physics Laboratory (JHUAPL) enforce security in military systems.

Few applications are more mission critical than the on board systems that operate complex military assets, command and control systems and secure, real-time communications. Combine top levels of security, global development alliances, and evolving architectural elements and you've got an extreme software security challenge.

This arm of the U.S. Armed Forces constantly faces software security and software integration challenges that push the limits of modern software development and deployment capabilities. With the stakes so high, and the margin of error so limited, only the best of the best can play here.

The U.S. Navy teamed up with JHUAPL to find the best in class processes and products that would enable security teams to quickly, efficiently and effectively identify and remediate software vulnerabilities. Researchers at the JHUAPL sought automation that could deliver accuracy. And the solution was required to do so in a reliable manner even when deployed under the most challenging operational environments, such as temporary runtime environments.

They needed to: identify vulnerabilities without the pain of assessing large volumes of information-level results and false positives; get in, set up, analyze and get out within hard deadlines; and analyze code in sub optimal deployment environments. The remediation of software vulnerabilities needed to happen after the code was locked down and no longer available for inspection. This combination of requirements made finding a solution that worked a daunting challenge.


The U.S. Navy chose Ounce Labs because of the ability to meet a stringent set of challenging, and often conflicting, technical requirements. These included severe code complexity, embedded environments, distributed development, high security levels, an ability to enable remediation after code lockdown, and the need for the most accurate results possible. Budget and timeline were fixed.

All commercially available options were evaluated. Extensive technical and supplier evaluations were performed to select superior and proven technology from a viable supplier committed to the long term. Only Ounce Labs was able to demonstrate this combination of attributes. Ounce solutions were found uniquely capable of effectively deploying in a broad range of challenging operational environments.

Mobile security analysts were able to fly from location to location, set up, analyze large bodies of code, and take away the information required to follow up on remediation. The confirmed vulnerabilities in the analysis results eliminated crucial time that would have otherwise been needed to investigate code scan results from other products. Severity ratings and intelligent result groupings facilitated the analysis of potential vulnerabilities. Integration with change management and email systems meant defects could be assigned to owners around the globe in much the same way quality defects are handled.

Powerful reporting includes triage and analysis perspectives that allowed results to be intelligently managed. The Ounce SmartTraceTM feature provided a method to interactively trace tainted data paths in which information is processed through applications without proper validation or encoding routines. This feature was used to pinpoint and remediate vulnerabilities as well as define custom validation routines according to internal security policy.

Security leads found time to productivity was unmatched, and compelling.

Partnering with Ounce Labs, the U.S. Navy was able to achieve previously unattainable levels of accuracy and completeness in the vulnerability analysis of complex code. The analysis was carried out in highly secure, temporary environments. Security analysts and code auditors were able to obtain accurate results without a deluge of false positives. These results were also utilized for analysis and reporting purposes in other locations. The Navy met cost and schedule objectives.

Time to productivity was measured literally in days, not weeks or months, and with minimal training and customization. As a result, there is increased visibility into, and confidence in, the code that operates some of the most sophisticated defense systems worldwide.

Application Security Compliance Guide for Federal Agencies

Originating Page

Increasingly, US federal agencies rely on complex and internetworked software to enable their mission. As federal services from taxpayer information to national defense move onto the Web, agencies have a driving need to ensure that the software managing those services and related data is written securely. The regulatory environment has expanded recently to address the need for ongoing, measurable software security assurance programs, and is mandating that agencies demonstrate their compliance.

Agencies, armed with automated software security assurance tools such as those that Ounce Labs provides, can now have the metrics and policy compliance information they need to report to agency heads and federal regulators on the process and state of their software security assurance efforts. This guide provides key agency personnel charged with fulfilling these various regulatory requirements with a quick reference to understanding:
  • The major compliance categories into which software security assurance activities fall, including Risk Assessment, Identification and Authentication, and Vulnerability Remediation.
  • The applicable regulatory and compliance frameworks and the specific control activities within each that apply to application security assurance activities.
  • The Ounce Labs solution and the way in which its capabilities can provide the necessary metrics and policy compliance information to help prove compliance with these activities.
Download the Entire Guide (No Registration Required)

Federal Government Enables Greater Security by Establishing Standard for Outsourced Code Development

Originating Page


A large civilian federal organization with over 12,000 employees and with over $15 billion in budget, was challenged with new security standards as it continued its current operations.

The challenge for this customer was ensuring the application-level security of an upgrade of a 250 million line application. Not only was the code size large but the application was developed externally by a third party provider and was scheduled to roll out in modules across a six month timeframe. Adding to the challenge was the fact that this upgrade was to follow a very recent and well-publicized exploit in another division of the organization increasing sensitivity around the overall security of any new application roll out.

Our customer was seeking a solution that would allow them to better evaluate the application prior to its deployment, thereby reducing risk and decreasing the likelihood of an unintended disclosure of information. The solution would be required to analyze an enormous amount of source code, and would also need to provide results that were meaningful to program managers, not just to security specialists and development personnel.

Due to the heightened sensitivity to security and unwanted data exposure in their environment, the customer had a very specific set of requirements. Their overall process is outlined below:

* Define what they meant by "security"
* Find language and criteria through which they could communicate that to their vendor
* Enable the ability to enforce the vendor's performance against these criteria.

This was not an easy task considering the size and complexity of this critical ERP application.


Using Ounce Labs' source code analysis tool, the customer was able to evaluate current vulnerablities within the code, prioritize the remediation efforts against the highest severity ones and meet their time frame for roll out.

Additionally, this code scan gave them a benchmark against which to establish a set of standards for secure code. Using the Ounce Labs' taxonomy for security vulnerabilities, contracts were written that specified unacceptable security conditions for delivery of the software and mandated regular testing by the vendor prior to software release. In the event that such vulnerabilities continued to exist at the time of delivery, the vendor developing the software would be penalized for their non-performance. If there were medium severity vulnerabilities, as discovered and defined by the Ounce product, the vendor would be fined 5% of monthly invoice until they were repaired. If high severity vulnerabilities existed, the vendor would receive no payment until those vulnerabilities were remediated.

It is possible to generate, negotiate, and enforce contracts that will create an environment with third-party providers that lead to much more secure applications at time of delivery. These contracts protect an organization against the unplanned costs of a breach, including clean-up, patching, and reputation damage. Incorporating cost-recovery within outsourced software development contracts more than justifies the additional management and resource expense associated with the new security requirements and their enforcement.

Seeking Compliance & Facing Enormous Upgrade, the U.S. General Services Administration Embarks on Path to Eradicate Vulnerabilities

Originating Page


The General Services Administration (GSA) is an independent agency of the United States government, which supports the mission of other federal agencies by providing workplaces, solutions, acquisition services and management policies.

When the GSA decided to eradicate vulnerabilities before rolling out a major update of a distributed ERP application, they set out to find a solution that would support them in ensuring that the applications were secure from the inside out.

In seeking to comply with FISMA compliance requirements as well as NIST and GAO policies, the GSA realized that they needed a solution that could scale to both proactively address growing application security compliance concerns as well as perform rapid analysis of immense volumes of code, all designed to protect private data.


The Ounce Labs solution allows the GSA to effectively address key data privacy protection objectives and standards. Out of the box, Ounce's unique software risk analysis capabilities enabled Certification and Accreditation professionals to rapidly analyze multi-million lines of code applications and have access to the latest relevant vulnerability and remediation information, right at their fingertips, while their developers found that they could accurately pinpoint vulnerabilities right to the line of code, and remediate those flaws in a fraction of the time it would have taken otherwise.

With the size and complexity of today's enterprise applications, it is seldom feasible to rely solely on manual methods to effectively identify and remediate vulnerabilities. The GSA is now leveraging Ounce Labs' unique capabilities of efficiently and accurately scanning and reporting on their large scale applications.

Securing the Public Sector: The need for secure software for government agencies

Today more than ever, information security is at the top of the agenda for many government agencies. The government has repeatedly received low grades on the overall state of its security and implementation of security policies, and is now facing increased legal pressure to ensure that the mission-critical systems driving the nation's infrastructure are truly secured. To drive this effort, an array of new laws and regulations have been passed and guidelines have been issued that require government IT staff to analyze their systems, implement appropriate processes and procedures, and determine what products may need to be purchased to achieve demonstrably improved security.

The stark truth behind these evolving laws and guidelines is that even in the face of the widespread deployment of protective solutions such as firewalls, antivirus, and intrusion prevention products, attacks continue to succeed. This Ounce Labs Industry Spotlight will examine the guidelines and regulatory requirements adopted by the U.S. government in the light of this continuing national security risk, and their implications for security strategy.

Download Entire White Paper (No Registration Required)