VA SOFTWARE ASSURANCE PROGRAM OFFICE VA Code Review Process Introduction Virtual Live Training, 30 Minutes Training is held virtually over Microsoft Lync.

Slides:



Advertisements
Similar presentations
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Advertisements

Pharos Uniprint 8.3.
Wisconsin Knowledge & Concepts Examination (WKCE) Test Security Training for Proctors Wisconsin Department of Public Instruction Office of Educational.
System Construction and Implementation Objectives:
Stepan Potiyenko ISS Sr.SW Developer.
Supervisor Training On-Campus Student Employment.
APPLICATION DEVELOPMENT BY SYED ADNAN ALI.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
What Exactly are the Techniques of Software Verification and Validation A Storehouse of Vast Knowledge on Software Testing.
Welcome ISO9001:2000 Foundation Workshop.
© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, :00pm EST, 11:00am PST George Spafford, President Spafford.
Effective Methods for Software and Systems Integration
Software Configuration Management (SCM)
Coordination with MARSS Student Number Fall 2013.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
L6 - March 1, 2006copyright Thomas Pole , all rights reserved 1 Lecture 6: Software Packaging: Dynamically Integrable Components and Text Ch.
T RAINING FOR P-C ARD U SERS E FFECTIVE 4/1/2014, YOU WILL LOSE YOUR P - CARD IF YOU VIOLATE PURCHASING OR P - CARD POLICY AND PROCEDURES THREE (3) TIMES.
Security Assessments FITSP-A Module 5
PowerPoint 2003 – Level 1 Computer Concepts Cathy Horwitz April 25, 2011.
Toolkit Series from the Office of Migrant Education Webinar: Program Evaluation Toolkit August 9, 2012.
What is SMEcollaborate Primarily developed for Small and Medium Companies who wish to collaborate together. It is a:- A resource center for collaborating.
Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.
14-1 © Prentice Hall, 2004 Chapter 14: OOSAD Implementation and Operation Object-Oriented Systems Analysis and Design Joey F. George, Dinesh Batra, Joseph.
WELCOME TO THE TRANSITION ASSISTANCE PROGRAM Introduction 1 FO&D.
AIMS Overview* AIMS Overview* Austin ISD Instructional Management System Created: August 7, 2009 * AIMS went through a design overhaul during the Summer.
1 Thank you for visiting our site and welcome to the “Introduction to ISO 22000” Presentation that you requested. For more information.
TECHONOLOGY experts INDUSTRY Some of our clients Link Translation’s extensive experience includes translation for some of the world's largest and leading.
The Post Service Officer VFW Department Convention June 2010.
Capital Budget System (CBS) Agency Training 1. Introductions… Name Name Agency Agency Capital Budget System Role Capital Budget System Role Goals for.
STANKIEWICZ. Essential Questions and Learning What is the purpose of criminal Investigation? What are the basic steps in criminal investigations? What.
GREG CAPPS [ ASUG INSTALLATION MEMBER MEMBER SINCE:1998 ISRAEL OLIVKOVICH [ SAP EMPLOYEE MEMBER SINCE: 2004 GRETCHEN LINDQUIST [ ASUG INSTALLATION MEMBER.
ISM at the Savannah River Site
Configuration Management CSCI 5801: Software Engineering.
Measured Progress © New Mexico SBA iTester 3  Webinar Administration Best Practices This presentation will begin momentarily... Please call in by.
Windows SharePoint 2007 Introduction. What is Microsoft SharePoint 2007? Microsoft SharePoint 2007 is the central information sharing and collaboration.
United Nations Oslo City Group on Energy Statistics OG7, Helsinki, Finland October 2012 ESCM Chapter 8: Data Quality and Meta Data 1.
Copyright 2010, The World Bank Group. All Rights Reserved. Recommended Tabulations and Dissemination Section B.
Bina Nusantara 19 C H A P T E R SYSTEM CONSTRUCTION AND IMPLEMENTATION.
"proper words in proper places“ translating for the localisation industry LRC Summer School Limerick 16 June 2005.
Analyzing Code with CAST RPA SCAN. IDENTIFY. ACT..
A Simple Tool to Measure Computer Literacy A Simple Tool to Measure Computer Literacy George Kontos, Ed.D. Assistant Professor Business and Computer Studies.
METRO TECH HIGH SCHOOL OFFICE FOR STUDENT SUCCESS SCHOOL PROCEDURES JULIO RUBIO ASSISTANT PRINCIPAL FOR STUDENT SUCCESS.
Configuration Control (Aliases: change control, change management )
Please fill in my session feedback form available on each chair. SPSCairo Welcome.
Project AViVA A Web-Based Electronic Health Record Based on Apollo, MDWS, and VistA March 8, 2010 Peter L. Levin Senior Advisor to the Secretary & Chief.
Welcome To University Shared Services
Advanced Programing practices
What every benchmarking coordinator needs to know
Introduction to the Human Research Protections Office (HRPO)
Wisconsin Department of Public Instruction
Succeeding as a Systems Analysts
September 27 – Course introductions; Adts; Stacks and Queues
Secure Source Code Analysis.
The Greater Miami Valley EMS Council
RECORDS AND INFORMATION
Software Verification and Validation
Software Verification and Validation
Systems Construction and Implementation
System Construction and Implementation
Systems Construction and Implementation
OWASP Application Security Verification Standard
Advanced Programing practices
Configuration management
Software Verification and Validation
Patient Elopement.
OWASP Application Security Verification Standard
OWASP Application Security Verification Standard
Fundamental Science Practices (FSP) of the U.S. Geological Survey
Presentation transcript:

VA SOFTWARE ASSURANCE PROGRAM OFFICE VA Code Review Process Introduction Virtual Live Training, 30 Minutes Training is held virtually over Microsoft Lync Seal of the U.S. Department of Veterans Affairs Office of Information and Technology Office of Information Security

VA SOFTWARE ASSURANCE PROGRAM OFFICE Welcome! Thank you for attending this presentation. This presentation is courtesy of the VA Software Assurance Program Office. This presentation is an overview of concepts & activities that are involved with the VA Verification and Validation (V&V) Secure Code Review Validation process. – Please note that VA application components written in MUMPS and Delphi programming languages are exempt from V&V secure code review validation processes. 1

VA SOFTWARE ASSURANCE PROGRAM OFFICE Getting Started… Reviewing application source code for vulnerabilities can be a complex process. The primary objectives of conducting security-focused source code reviews at the VA are to: – Encourage the use of static analysis tools during the development of VA applications – Ensure that secure code reviews are performed consistently and cost-efficiently – Improve the security of VA applications agency-wide 2

VA SOFTWARE ASSURANCE PROGRAM OFFICE What is meant by vulnerabilities in source code? Example: – Command Injection: 3

VA SOFTWARE ASSURANCE PROGRAM OFFICE How does one search for vulnerabilities in source code? Security-focused source code reviews at the VA should be performed using the HP Fortify Static Code Analyzer (SCA) tool, which is made freely available by VA to VA application developers, including contractors. – Fortify benefits: Fast compared to manual review Fast compared to testing Consistent Brings security knowledge with it Makes security review process easier for non-experts – Fortify limitations: Does not understand architecture Does not understand application semantics Does not understand business context 4

VA SOFTWARE ASSURANCE PROGRAM OFFICE Fortify SCA operation: 5 Source Code Source Code Source Code Source Code Internal Model Results Build Model (compile to an internal model) Scan (Analyze model and apply security knowledge) When source code spans multiple languages, each is separately compiled to the internal model and all are scanned together

VA SOFTWARE ASSURANCE PROGRAM OFFICE How does the V&V Secure Code Review Validation process work? 1.VA application developers request the Fortify software, then use it during development (and maintenance) 2.Prior to release, during the A&A process to obtain an ATO/TATO (or per NSOC direction), developers do a final Fortify scan 3.A V&V secure code review validation request package, containing the final Fortify scan, V&V Request Form, and source code to be delivered, is submitted to the VA Software Assurance Program Office. The validation process checks that no critical or high findings remain, along with other checks, per the SOP. 6

VA SOFTWARE ASSURANCE PROGRAM OFFICE V&V Secure Code Review Validation process workflow: 7

VA SOFTWARE ASSURANCE PROGRAM OFFICE Where do I find the necessary forms, procedures, and help for code reviews? The VA Software Assurance Program office provides a support web site that is accessible both inside and outside of the VA network. – Link to VA Software Assurance support site : WA WA – Direct link to VA Secure Code Review Standard Operating Procedures Document: ttachments/ /VA%20Secure%20Cod e%20Review%20SOP.pdf?api=v2 ttachments/ /VA%20Secure%20Cod e%20Review%20SOP.pdf?api=v2 – Link to Frequently Asked Questions: WA/Frequently+Asked+Questions WA/Frequently+Asked+Questions 8

VA SOFTWARE ASSURANCE PROGRAM OFFICE Thank you! Questions? If you need additional assistance in the future, please contact: – 9