Wednesday, September 2, 2009

Maximum Speed, Accuracy & Flexibility with Ounce give the U.S. Navy the 'Wave' of Security Needed

Originating Page

CUSTOMER CHALLENGE

Security leaders in the U.S. Navy and researchers at the Johns Hopkins University Applied Physics Laboratory (JHUAPL) enforce security in military systems.

Few applications are more mission critical than the on board systems that operate complex military assets, command and control systems and secure, real-time communications. Combine top levels of security, global development alliances, and evolving architectural elements and you've got an extreme software security challenge.

This arm of the U.S. Armed Forces constantly faces software security and software integration challenges that push the limits of modern software development and deployment capabilities. With the stakes so high, and the margin of error so limited, only the best of the best can play here.

The U.S. Navy teamed up with JHUAPL to find the best in class processes and products that would enable security teams to quickly, efficiently and effectively identify and remediate software vulnerabilities. Researchers at the JHUAPL sought automation that could deliver accuracy. And the solution was required to do so in a reliable manner even when deployed under the most challenging operational environments, such as temporary runtime environments.

They needed to: identify vulnerabilities without the pain of assessing large volumes of information-level results and false positives; get in, set up, analyze and get out within hard deadlines; and analyze code in sub optimal deployment environments. The remediation of software vulnerabilities needed to happen after the code was locked down and no longer available for inspection. This combination of requirements made finding a solution that worked a daunting challenge.

SOLUTION & RESULTS

The U.S. Navy chose Ounce Labs because of the ability to meet a stringent set of challenging, and often conflicting, technical requirements. These included severe code complexity, embedded environments, distributed development, high security levels, an ability to enable remediation after code lockdown, and the need for the most accurate results possible. Budget and timeline were fixed.

All commercially available options were evaluated. Extensive technical and supplier evaluations were performed to select superior and proven technology from a viable supplier committed to the long term. Only Ounce Labs was able to demonstrate this combination of attributes. Ounce solutions were found uniquely capable of effectively deploying in a broad range of challenging operational environments.

Mobile security analysts were able to fly from location to location, set up, analyze large bodies of code, and take away the information required to follow up on remediation. The confirmed vulnerabilities in the analysis results eliminated crucial time that would have otherwise been needed to investigate code scan results from other products. Severity ratings and intelligent result groupings facilitated the analysis of potential vulnerabilities. Integration with change management and email systems meant defects could be assigned to owners around the globe in much the same way quality defects are handled.

Powerful reporting includes triage and analysis perspectives that allowed results to be intelligently managed. The Ounce SmartTraceTM feature provided a method to interactively trace tainted data paths in which information is processed through applications without proper validation or encoding routines. This feature was used to pinpoint and remediate vulnerabilities as well as define custom validation routines according to internal security policy.

Security leads found time to productivity was unmatched, and compelling.

Partnering with Ounce Labs, the U.S. Navy was able to achieve previously unattainable levels of accuracy and completeness in the vulnerability analysis of complex code. The analysis was carried out in highly secure, temporary environments. Security analysts and code auditors were able to obtain accurate results without a deluge of false positives. These results were also utilized for analysis and reporting purposes in other locations. The Navy met cost and schedule objectives.

Time to productivity was measured literally in days, not weeks or months, and with minimal training and customization. As a result, there is increased visibility into, and confidence in, the code that operates some of the most sophisticated defense systems worldwide.