Protecting Data During Transmission and
While Applications are Accessing it
For more than a decade, Security Innovation has provided software assurance and anti-tamper solutions to Federal Agencies and Government Systems Integrators like the DoD, U.S. Courts, Raytheon, AFRL, Army, Navy, Northrup Grumman, Darpa and Harris.
Government agencies are under pressure to meet the law as implemented in regulations, which often includes regular awareness and technical training, independent software assessments, IT System attack simulation, and adoption of industry secure coding standards.
DOD 8500.01
For intelligence and defense agencies and organizations, DOD 8500.01 requires organizations to follow the DISA STIG templates. Application security requirements are defined in a specific STIG called the Application Security and Development STIG. This document sets out a full set of education and process requirements for development application to meet military security standards.
FISMA/NIST
On the civilian side, FISMA mandates following NIST requirements. The NIST CSRC has set out the requirements to meet under the FISMA project. Specific requirements are set out in NIST Special Publication 800-53. Control SA-8 states:
| SA-8 SECURITY ENGINEERING PRINCIPLES |
|---|
|
Control: The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. Supplemental Guidance: The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications to the extent feasible, given the current state of the hardware, software, and firmware within the system. Examples of security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring system developers and integrators are trained on how to develop secure software; (vi) tailoring security controls to meet organizational and operational needs; and (vii)reducing risk to acceptable levels, thus enabling informed risk management decisions. |
IT System Attack Simulation
Government agencies often rely on 3rd party applications and COTS hardware, each of which can introduce data risks that are well known to hackers: exploits in known applications, insecure default settings and configurations, poorly implemented crypto, and more.
Security Innovation can help you plug holes before they are exploited by an actual attacker. Our engineers will conduct perpetual attacks on your IT infrastructure to identify vulnerable areas that an attacker would exploit to gain access to your data or bring your systems offline including:
- High-severity software vulnerabilities
- Weak or default passwords
- Misconfigured web and database servers
- Unknown Internet facing applications or integration code
- Systems that don’t have proper authentication controls or too high of privileges
- Insecure communication channels and poorly implemented crypto
Future-Proof Anti-Tamper Crypto:
Up to 200x Times F
aster Than RSA
Our NTRU Crypto delivers high-strength cryptographic operations, making it ideal for constrained devices. It is an IEEE and X9 standard, and available in SSL libraries and encryption toolkits.
Additionally, Security Innovation offers lightning-fast and easy to implement security libraries that are optimized for ARM7/ARM and IEEE 1609 for secure vehicle communications.
Computer Based-Training & In-Practice Guidance
TeamProfessor, the industry’s largest computer-based training library for application security, helps all team members meet training requirements and harden applications from cyber threats.
Once training is complete, developers need just in time guidance that can be customized for the agency’s practices and standards. Our TeamMentor eGuidance system comprises more than 3,000 how-to’s, secure code snippets, attacks, and checklists - offering expert guidance as teams conduct specific security activities.
Software & SDLC Assessments
To help you bring the appropriate security process and activities to your development practice, Security Innovation can identify problems in your software during any phase of development, or within the SDLC itself.