Embed Size (px)
Citation preview
FEDERAL CASE STUDY
Ready, Aim, Fortify! U.S. Army Deploys Application Security Regimen for its Munitions System
THE DEPARTMENT | The U.S. Army uses the Total Ammunition Management Information
System (TAMIS) to manage conventional munitions requirements.
Case BackgroundThe Total Ammunition Management Information System (TAMIS) is the U.S. Army
application that manages conventional munitions for wartime, training and testing
operations across the U.S. Armed Forces – the Army, Marine Corps, National Guard as
well as the Navy and Air Force when operating on Army installations.
TAMIS handles approximately 350,000 ammunition transactions per month from units
located all around the world, supporting more than 7,000 authorized personnel who
request, approve and manage munitions. The web-enabled system calculates combat
load requirements, validates and routes electronic requests, collects expenditures, and
prepares forecasts. More than 50,000 munitions reports are generated each month on
the nearly $3 billion in conventional ammunition authorizations managed each year.
The primary objectives of TAMIS are to improve munitions governance and to provide
military personnel with essential analytical tools that enable a trained and ready armed
force. The TAMIS application supports the Army’s training and operational strategies
by providing an essential web-enabled capability throughout all phases of the military’s
spectrum of operations. Employing a design structured for centralized management and
decentralized execution, the system develops, calculates and prioritizes requirements,
ensures requisition and authorization data is accurate, and then makes this information
available and usable on demand to authorized users without wait time.
TAMIS is managed by the Department of the Army G-37, Munitions Management
Division. Maintaining training superiority and achieving readiness objectives required the
Army to transform its business practices and information management processes as
part of the overarching “Net-Centric Data Strategy” of the U.S. Department of Defense
(DOD). TAMIS is not a new system. It was originally launched on a mainframe, migrated
to Windows NT, and then to its present browser-driven application environment.
TAMIS operates in the Mission Assurance Category II sensitive level. As a result, much time
and effort has been devoted to TAMIS development and network “hardening” solutions
U.S. ARMY TAMIS QUICK STATS
• Handles350,000ammunition transactions per month from units locatedacrosstheglobe
• Supportsmorethan7,000authorizedpersonnelwhorequest,approveandmanage munitions
• Generates50,000+munitionsreportseach month
• Manages$3billioninconventionalammunitionauthorizationsannually
KEY CHALLENGES • Implement an application security regimen on an already deployed web application
• Provide military personnel with essential, automated analytical tools to enable a trained, armed force
• Prevent attacks to the TAMIS system by accurately measuring security risk level and fixing application vulnerabilities in TAMIS
• Progress the TAMIS team away from a “checklist mentality” toward a more holistic approach to risk management
• Train programmers to secure coding practices and monitor future performance
FORTIFY CASE STUDY WWW.FORTIFY.COM
designed to prevent attacks against the application. However, application
security wasn’t always the highest priority for the TAMIS development
team over the years, between rolling deadlines and user demands for
new features. Eliminating vulnerabilities was regarded as a task best
performed in the testing phase or at the end of development, if at all.
The Mission: a Holistic Approach to Software Risk ManagementBefore the TAMIS application security project, few in the wider U.S.
Army community were thinking seriously about application security.
While IT security as a practice has always been “non-negotiable” in
matters of national security, the approach had been largely network-
centric and had given little attention to software vulnerabilities present
in many of the applications already in use throughout the DOD. The two
bodies responsible for TAMIS network security included the U.S. Army
Information Management Center, responsible for intrusion detection
and firewalls, and the Pentagon’s Vulnerability Assessment Branch,
which periodically scans Army servers for necessary updates and fixes.
On the other hand, application code review was still manual and labor
intensive, with few resources directed to application threat modeling or
risk management during development. Training for software developers
on vulnerability mitigation through secure coding practices was largely
nonexistent. Still, TAMIS had a history of being specifically targeted
in malicious attacks on a few occasions originating from China, India,
even Boston.
Then TAMIS Project Manager Bob Torche attended a workshop as part
of a strategic initiative on Software Security Assurance conducted by the
National Cyber Security Division of the U.S. Department of Homeland
Security. The program helped him put his own project in perspective
and armed him with the skills and disciplines necessary to implement
source code analysis in TAMIS within his project’s cost structure.
The TAMIS team had some specific requirements for its application
security solution provider, which needed to be able to:
• Measure present vulnerability levels to ascertain risk profile of
the application
• Automate the source code analysis process
• Understand where and how the application was vulnerable, and
prioritize the results
• Operate within the TAMIS Visual Studio integrated development
environment to remediate fixes
• Illustrate quantitative reductions in vulnerability level over time,
demonstrated by executive level reporting
• Progress the TAMIS team away from a “checklist mentality”
toward a more holistic approach to risk management
• Train its .NET and C+ programmers on secure coding practices in
their application environment, and monitor their future performance
Regulatory compliance mandates were also a huge consideration for
the TAMIS team. Specifically, any chosen solution needed to help
them meet the requirements set forth by the following initiatives:
1. The Defense Information Systems Agency’s Application
Security Technical Implementation Guides, or DISA-STIGs for
short, is a set of application configuration standards that promote
the development, integration and updating of secure applications
required under DOD policy. All military software applications must
comply with these standards as a matter of national security.
2. The National Institute of Standards and Technology 800 Series
details federal government computer security policies, procedures
and guidelines. These guidelines assess and document threats and
vulnerabilities and for implementing security measures to minimize
the risk of adverse events.
3. The Federal Information Security Management Act (FISMA)
requires each federal agency to develop, document, and implement
an agency-wide program to provide information security for the
information and information systems that support the operations
and assets of the agency.
4. The DOD Information Assurance Certification and Accreditation
Process (DIACAP) is the process followed that ensures risk
management is applied on all DOD information systems. DIACAP
defines a formal and standard set of activities, general tasks and
a management structure for the certification and accreditation of
systems such as TAMIS that maintain an information assurance
posture throughout their life cycle.
TAMIS needed to select an application security solution provider
who understood each and every one of these regulatory directives,
and who could dynamically respond to address them.
Fortify® 360 Secure Your SoftwareFortify360isasuiteofintegratedsolutionsforidentifying,prioritizingand
fixingsecurityvulnerabilitiesinsoftwareandmanagingthebusinessof
ensuring application security.
FORTIFY CASE STUDY
Fortify engineers assisted with the installation process to tune the
product for the TAMIS environment. TAMIS also engaged Fortify
Software’s support services to help review initial scan results with its
developers, as the team needed some help prioritizing initial findings
to isolate the most serious threats. The team found tuning Fortify 360
for the individual application was a bit time consuming, but essential
to its success. Finally, Fortify also completed two days of in-depth
product training with ten TAMIS developers.
Bob Torche firmly believes that expert support is essential to
the success of a Software Security Assurance effort involving
ongoing development on an application already in production. He
elaborates, “We found Fortify’s support services to be first class
from knowledgeable installation to informative staff training. Their
involvement proved invaluable to both a stable deployment as well
as maintaining our deployment schedule. Problems were quickly
resolved, resulting in an overall smooth and stable rollout within the
planned timeframe.”
TAMIS operates under an agile software development approach,
but still the combination of maintaining the system (which is actually
hosted by another Army agency), fixing bugs, and deploying new
capabilities is a challenging balancing act. Today, the TAMIS team is
responsible for understanding the application’s ongoing risk profile,
identifying real or emerging threats, and assuring all stakeholders
that all potentially exploitable vulnerabilities are mitigated. TAMIS
developers are tasked with actually fixing security issues while
balancing the ongoing demands of a live system demanding
functionality, data integrity and availability. This frees the TAMIS
project management team to focus upfront not only on functional
requirements but also on security requirements.
The Results: Leading the App Sec Charge inside the DODBob Torche believes, “It is this balancing act between fix and function
that must be continually orchestrated for ongoing secure operations.
The challenges of implementing an application security regimen on an
already deployed web application – one that’s undergoing continual
development, mind you – required a cultural shift be incorporated
into our development process. Once the commitment is made, I
recommend that organizations going down our road pursue change
The Strategy: Why Fortify 360?Promoting greater software assurance practices was now regarded
inside TAMIS as essential to reducing overall risk to the munitions
management system. To accomplish this, the TAMIS team began a
review of leading industry source code analyzers. Fortify made the
short list. Initial market research identified six products to review,
including Fortify, KlocWork, and IBM/Ounce, among others. They
focused their evaluations on fixing, prioritizing, viewing and reporting
capabilities, as well as how well each product would integrate with its
environment. In the end, it came down to Fortify and Ounce.
Bob Torche was impressed by what he had learned of Fortify and
its Fortify 360 SCA product at the cyber security workshop, but not
convinced. He had his team run a test of Fortify 360 SCA directly
against TAMIS code, not only to examine its results but to also to
understand how the product would respond to their environment. He
was overwhelmed by the number of vulnerabilities first detected, and
soon realized the amount of effort that would be needed to address
them. Further evaluation revealed that Fortify 360 offered benefits
beyond just static code analysis.
Torche explains, “Fortify offered a comprehensive application security
approach that included detection and protection capabilities in a
single package. In addition to SCA, we realized the power of dynamic
analysis for an application that is up and running, which TAMIS clearly
is. We also understood that the run-time protection afforded by a
full Software Security Assurance solution in the end would put us
on the best possible footing. We became convinced that the best
solution would address both our immediate needs as well as any
future requirements that would emerge throughout the software
development lifecycle.”
The Attack: Divide & Conquer with Expert SupportAfter the selection of Fortify, the TAMIS team still had some hurdles
to clear. Implementation involved installing Fortify 360 SCA on each of
the machines that developers use to run static analysis on their code
and to upload results to the Fortify 360 Server. Fortify 360 Server was
used to maintain the rules pack, to scan pre-release code during QA,
and to generate reports.
FORTIFY BENEFITS
• IdentifiedtheTAMISapplication’sriskprofile
• ReducedriskfortheTAMISproject,withinitsfundingandresourcelevel
• AffectedaculturalshiftintheTAMISdevelopmentprocess
• Establishedadevelopmentlifecycleapproachtosoftwaresecurity
• EnhancedtheU.S.Army’ssecurityposturewithahigherlevelofconfidence
WWW.FORTIFY.COM
© 2010 Fortify Software Inc.
360FORTIFY
quickly, adopt best practices, and then follow through. It’s about ultimately building a stronger application,
but the challenge is keeping the wheels on the bus even as you improve the bus. That’s the secret of our
success with Fortify 360.”
With Fortify, TAMIS has:
• Identified its risk profile. Specifically, Fortify is helping to reduce risk for the TAMIS project, within its
funding and resource level.
• Enhanced its security posture. TAMIS has attained a higher level of confidence that its software is free
from major vulnerabilities, which is the ultimate goal of software security assurance.
• Established a software development life cycle approach. Security is now built into the TAMIS
application from the beginning with established processes and procedures. According to a study by the
National Institute of Standards and Technology (NIST), the cost and effort expended fixing security
vulnerabilities in production software is up to thirty times more than addressing them during development.
As the U.S. Army strives to deliver net-centric information that enables superior war fighter decision-making,
it continually adapts and refines TAMIS capabilities to meet the threat of the operational environment. Over
the last three years, the system’s sponsors have consolidated data and automated processes to align its
munitions requirements processes with the Single Army Logistics Enterprise (SALE) effort. TAMIS is three-
quarters of the way through its transformation. Next steps are to interface the system with the Global
Combat Support System-Army and the Logistics Modernization Program – which are both essentially
enterprise resource planning implementation projects.
TAMIS was the third successful implementation of Fortify at the U.S. Army, which is also using Fortify in
its Communications and Electronics Command (CECOM) and Tank-Automotive & Armament Command
(TACOM) systems. The Army now has 15 additional instances of Fortify 360 up and running out of 25 total
active projects. It has led to a sea change in acceptance for Software Security Assurance best practices at
the DOD. Torche states its impact most succinctly when he says, “Static application security testing should
be a mandatory requirement for all IT organizations that develop or procure applications.”
About Fortify Software, Inc.
Fortify®’s Software Security Assurance products and services protect companies from the threats posed
by security vulnerabilities in business–critical software applications. Its software security suite – Fortify
360 – drives down costs and security risks by automating key processes of developing and deploying secure
applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a
wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, pub-
lishing, insurance, systems integration and information management. The company is backed by world–
class teams of software security experts and partners. More information is available at www.fortify.com
or visit our blog.
