Embed Size (px)
Citation preview
VA SOFTWARE ASSURANCE PROGRAM OFFICE
VA Code Review Process IntroductionVirtual Live Training, 30 Minutes
Training is held virtually over Microsoft Lync Seal of the U.S. Department of Veterans AffairsOffice of Information and TechnologyOffice of Information Security
VA SOFTWARE ASSURANCE PROGRAM OFFICE 2
Welcome!
• Thank you for attending this presentation.
• This presentation is courtesy of the VA Software Assurance Program Office.
• This presentation is an overview of concepts & activities that are involved with the VA Verification and Validation (V&V) Secure Code Review Validation process.
– Please note that VA application components written in MUMPS and Delphi programming languages are exempt from V&V secure code review validation processes.
VA SOFTWARE ASSURANCE PROGRAM OFFICE 3
Getting Started…
• Reviewing application source code for vulnerabilities can be a complex process.
• The primary objectives of conducting security-focused source code reviews at the VA are to:
– Encourage the use of static analysis tools during the development of VA applications
– Ensure that secure code reviews are performed consistently and cost-efficiently
– Improve the security of VA applications agency-wide
VA SOFTWARE ASSURANCE PROGRAM OFFICE 4
What is meant by vulnerabilities in source code?
• Example:
– Command Injection:
VA SOFTWARE ASSURANCE PROGRAM OFFICE 5
How does one search for vulnerabilities in source code?
• Security-focused source code reviews at the VA should be performed using the HP Fortify Static Code Analyzer (SCA) tool, which is made freely available by VA to VA application developers, including contractors.
– Fortify benefits:
• Fast compared to manual review• Fast compared to testing• Consistent• Brings security knowledge with it• Makes security review process easier for non-experts
– Fortify limitations:
• Does not understand architecture• Does not understand application semantics• Does not understand business context
VA SOFTWARE ASSURANCE PROGRAM OFFICE 6
Fortify SCA operation:
SourceCode
SourceCode
SourceCode
SourceCode
InternalModel
Results
Build Model(compile to an internal model)
Scan(Analyze model and apply
security knowledge)
When source code spans multiplelanguages, each is separately compiledto the internal model and all arescanned together
VA SOFTWARE ASSURANCE PROGRAM OFFICE 7
How does the V&V Secure Code Review Validation process work?
1. VA application developers request the Fortify software, then use it during development (and maintenance)
2. Prior to release, during the A&A process to obtain an ATO/TATO (or per NSOC direction), developers do a final Fortify scan
3. A V&V secure code review validation request package, containing the final Fortify scan, V&V Request Form, and source code to be delivered, is submitted to the VA Software Assurance Program Office. The validation process checks that no critical or high findings remain, along with other checks, per the SOP.
VA SOFTWARE ASSURANCE PROGRAM OFFICE 8
V&V Secure Code Review Validation process workflow:
VA SOFTWARE ASSURANCE PROGRAM OFFICE 9
Where do I find the necessary forms, procedures, and help for code reviews?
• The VA Software Assurance Program office provides a support web site that is accessible both inside and outside of the VA network.
– Link to VA Software Assurance support site :• https://
wiki.mobilehealth.va.gov/display/OISSWA
– Direct link to VA Secure Code Review Standard Operating Procedures Document:• https://
wiki.mobilehealth.va.gov/download/attachments/24482308/VA%20Secure%20Code%20Review%20SOP.pdf?api=v2
– Link to Frequently Asked Questions:• https://
wiki.mobilehealth.va.gov/display/OISSWA/Frequently+Asked+Questions
VA SOFTWARE ASSURANCE PROGRAM OFFICE 10
Thank you!
• Questions?
• If you need additional assistance in the future, please contact:– [email protected]
