by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : November and December 2014
CODE-CHECKER Until recently, the only way to patch software effectively was to deploy it first and identify its vul- nerabilities later. However, this opened the code to zero-day exploits as well as advanced persistent threats. Few options existed for testing code for vulnerabilities before deploying it. "Most of the time we would find out about a problem with application secu- rity after the fact and after someone did something they weren't supposed to be able to do," said Kurt Wendelken, Com- manding Officer of the Naval Supply Systems Command (NAVSUP) Business Systems Center. After an security incident, NAVSUP would normally try to repair the compro- mised system, document how an attack or exploit occurred and make sure that it couldn't happen again. Not only was this labor intensive, but Wendelken said his primary job is keep- ing data inside Navy systems secure. That means that any after-the-fact work to patch a compromised system meant that at some level, that goal had already been lost. In looking for tools to break out of the traditional programming mold, NAVSUP found HP's Fortify Software Security Cen- ter product, a suite of programs designed for identifying vulnerabilities in software before it hits the production environment. The tool helps find vulnerabilities and trace them back to their source, including common errors like cross-scripting as well as deeper vulnerabilities that are much harder to detect. Looking at the code that will eventually go into Navy systems, and fixing any errors before it gets deployed has led to a sea change for NAVSUP. "This has lead to a fundamental change in our process, he added. "Before, if an application was able to run repeatedly, that was enough. Now we are fixing prob- lems with the code before it becomes part of a Navy system." Right now, NAVSUP is using Fortify to look at code, much of it submitted from contractors, to check for errors. However, the tool can also be deployed even farther back in the chain. Fortify can run as an app on a program- mer's desktop, with the ability to scan code as it's being written. That alerts the programmer to make changes and fix problems, not unlike the spell check func- tion on word processors. Because NAVSUP works with many out- side contractors, it has not yet deployed or required companies to use any type of error-checking tool. However, given the success NAVSUP is seeing in fixing code pre-deployment, Wendelken said it's pos- sible they may ask contractors to have a protocol deployed to cut back on mistakes before code is submitted to the Navy. "If we had run our code through the Fortify tool and not found any problems, I would have been both pleased and dis- appointed," Wendelken said. "It's like in- stalling an alarm system on your home. You hope that it never gets used, but you are also happy if it works when needed." Another advantage to using the Fortify tool is that it allows Wendelken to docu- ment up the chain of command what he and his staff are doing. Fortify reports can show vulnerable code that would have gone into a Navy system as well as the clean code produced after it had been checked. And although the tool also saves his staff some time, Wendelken said that is not his primary concern. "If the code is secure before it's deployed, then we can keep someone from penetrating a Navy system," he said. "That is the most impor- tant thing, and using the tool allows us to do that." • The Navy has been able to cut down on software vulnerabilities by troubleshooting programming errors before software is deployed Code checking leads to sea change at NAVSUP BY JOHN BREEDEN II 28 GCN NOVEMBER/DECEMBER 2014 • GCN.COM "Before, if an application was able to run repeatedly, that was enough. Now we are fixing problems with the code before it becomes part of a Navy system." -- KURT WENDELKEN, COMMANDING OFFICER, NAVAL SUPPLY SYSTEMS COMMAND BUSINESS SYSTEMS CENTER