WASHINGTON–Despite its reputation for secrecy and technical expertise, the National Security Agency doesn’t have a set of secret coding practices or testing methods that magically make their applications and systems bulletproof. In fact, one of the agency’s top technical experts said that virtually all of the methods the NSA uses for development and information assurance are publicly known.
“Most of what we do in terms of app development and assurance is in the open literature now. Those things are known publicly now,” Neil Ziring, technical director of the NSA’s Information Assurance Directorate, said in his keynote at the OWASP AppSec conference here Wednesday. “It used to be that we had some methods and practices that weren’t well-known, but over time that’s changed as industry has focused more on application security.”
Ziring said that even within the NSA, the problems of application security remain maddeningly difficult to solve. The agency, which is responsible for both protecting the communications of the U.S. government and eavesdropping on those of hostile nations, faces many of the same challenges that private enterprises and other organizations do when it comes to writing secure applications and defending deployed apps.
“Assurance is very hard to do for apps, especially lightweight, distributed apps. They don’t have a clean, waterfall lifecycle,” Ziring said. “Very few applications start from a clean slate. They’re built on the existing code bases and they have to work with other existing apps and they have to be updated frequently.
“Apps have become the primary targets of attackers. The exploits have moved up the stack from the hardware and the OS. Apps and platforms change much more frequently, so they’re harder to lock down. It’s where the money is. If you attack through the application and find a vulnerability, you get the data all nicely formatted and laid out for you. It’s a lot easier for attackers. We’ve certainly seen this in the government as well as in industry,” Ziring said.
The NSA, like other large organizations with a focus on software and application security, emphasizes security throughout the design, development and deployment lifecycle of an application. The agency has stringent requirements that an application must meet during the entire lifecycle, as many organizations do, and it also has joined together the security- and performance-testing processes in order to put apps through more realistic testing.
Ziring said that in his experience at the NSA and elsewhere, many security staffs would take a new app and test it by looking for corner cases that might break it or throwing unusual forms of traffic at it that might cause a crash or other problem. Meanwhile, QA staffs would typically test an app’s performance and reliability under low-stress conditions. Neither one of these methods gave a complete picture of the application’s security or reliability. That needs to change, he said.
“I’d suggest that marrying together the security and performance testing functions gives you a better idea of the app’s security,” Ziring said. “App have to be resilient. They have to operate under degraded or hostile conditions, they have to enforce governance and other standards.”
But despite all of the issues facing developers looking to write more secure and resilient apps, Ziring said that he believes the current focus on app security is making a difference.
“The NSA’s IAD really believes application security is very important. I see a bright future for appsec,” he said.
