Presentation is loading. Please wait.

Presentation is loading. Please wait.

VA SOFTWARE ASSURANCE PROGRAM OFFICE VA Code Review Process Introduction Virtual Live Training, 30 Minutes Training is held virtually over Microsoft Lync.

Published byJeffry Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "VA SOFTWARE ASSURANCE PROGRAM OFFICE VA Code Review Process Introduction Virtual Live Training, 30 Minutes Training is held virtually over Microsoft Lync."— Presentation transcript:

1 VA SOFTWARE ASSURANCE PROGRAM OFFICE VA Code Review Process Introduction Virtual Live Training, 30 Minutes Training is held virtually over Microsoft Lync Seal of the U.S. Department of Veterans Affairs Office of Information and Technology Office of Information Security

2 VA SOFTWARE ASSURANCE PROGRAM OFFICE Welcome! Thank you for attending this presentation. This presentation is courtesy of the VA Software Assurance Program Office. This presentation is an overview of concepts & activities that are involved with the VA Verification and Validation (V&V) Secure Code Review Validation process. – Please note that VA application components written in MUMPS and Delphi programming languages are exempt from V&V secure code review validation processes. 1

3 VA SOFTWARE ASSURANCE PROGRAM OFFICE Getting Started… Reviewing application source code for vulnerabilities can be a complex process. The primary objectives of conducting security-focused source code reviews at the VA are to: – Encourage the use of static analysis tools during the development of VA applications – Ensure that secure code reviews are performed consistently and cost-efficiently – Improve the security of VA applications agency-wide 2

4 VA SOFTWARE ASSURANCE PROGRAM OFFICE What is meant by vulnerabilities in source code? Example: – Command Injection: 3

5 VA SOFTWARE ASSURANCE PROGRAM OFFICE How does one search for vulnerabilities in source code? Security-focused source code reviews at the VA should be performed using the HP Fortify Static Code Analyzer (SCA) tool, which is made freely available by VA to VA application developers, including contractors. – Fortify benefits: Fast compared to manual review Fast compared to testing Consistent Brings security knowledge with it Makes security review process easier for non-experts – Fortify limitations: Does not understand architecture Does not understand application semantics Does not understand business context 4

6 VA SOFTWARE ASSURANCE PROGRAM OFFICE Fortify SCA operation: 5 Source Code Source Code Source Code Source Code Internal Model Results Build Model (compile to an internal model) Scan (Analyze model and apply security knowledge) When source code spans multiple languages, each is separately compiled to the internal model and all are scanned together

7 VA SOFTWARE ASSURANCE PROGRAM OFFICE How does the V&V Secure Code Review Validation process work? 1.VA application developers request the Fortify software, then use it during development (and maintenance) 2.Prior to release, during the A&A process to obtain an ATO/TATO (or per NSOC direction), developers do a final Fortify scan 3.A V&V secure code review validation request package, containing the final Fortify scan, V&V Request Form, and source code to be delivered, is submitted to the VA Software Assurance Program Office. The validation process checks that no critical or high findings remain, along with other checks, per the SOP. 6

8 VA SOFTWARE ASSURANCE PROGRAM OFFICE V&V Secure Code Review Validation process workflow: 7

9 VA SOFTWARE ASSURANCE PROGRAM OFFICE Where do I find the necessary forms, procedures, and help for code reviews? The VA Software Assurance Program office provides a support web site that is accessible both inside and outside of the VA network. – Link to VA Software Assurance support site : https://wiki.mobilehealth.va.gov/display/OISS WA https://wiki.mobilehealth.va.gov/display/OISS WA – Direct link to VA Secure Code Review Standard Operating Procedures Document: https://wiki.mobilehealth.va.gov/download/a ttachments/24482308/VA%20Secure%20Cod e%20Review%20SOP.pdf?api=v2 https://wiki.mobilehealth.va.gov/download/a ttachments/24482308/VA%20Secure%20Cod e%20Review%20SOP.pdf?api=v2 – Link to Frequently Asked Questions: https://wiki.mobilehealth.va.gov/display/OISS WA/Frequently+Asked+Questions https://wiki.mobilehealth.va.gov/display/OISS WA/Frequently+Asked+Questions 8

10 VA SOFTWARE ASSURANCE PROGRAM OFFICE Thank you! Questions? If you need additional assistance in the future, please contact: – OISSwASupportGroup@va.gov OISSwASupportGroup@va.gov 9

Download ppt "VA SOFTWARE ASSURANCE PROGRAM OFFICE VA Code Review Process Introduction Virtual Live Training, 30 Minutes Training is held virtually over Microsoft Lync."

Similar presentations

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Pharos Uniprint 8.3.

Pharos Uniprint 8.3.
Wisconsin Knowledge & Concepts Examination (WKCE) Test Security Training for Proctors Wisconsin Department of Public Instruction Office of Educational.

Wisconsin Knowledge & Concepts Examination (WKCE) Test Security Training for Proctors Wisconsin Department of Public Instruction Office of Educational.
System Construction and Implementation Objectives:

System Construction and Implementation Objectives:
Stepan Potiyenko ISS Sr.SW Developer.

Stepan Potiyenko ISS Sr.SW Developer.
Supervisor Training On-Campus Student Employment.

Supervisor Training On-Campus Student Employment.
01.02.20061 APPLICATION DEVELOPMENT BY SYED ADNAN ALI.

APPLICATION DEVELOPMENT BY SYED ADNAN ALI.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.

WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
What Exactly are the Techniques of Software Verification and Validation www.softwaretestinggenius.com A Storehouse of Vast Knowledge on Software Testing.

What Exactly are the Techniques of Software Verification and Validation A Storehouse of Vast Knowledge on Software Testing.
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.
© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, 2006 2:00pm EST, 11:00am PST George Spafford, President Spafford.

© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, :00pm EST, 11:00am PST George Spafford, President Spafford.
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
Software Configuration Management (SCM)

Software Configuration Management (SCM)
Coordination with MARSS Student Number Fall 2013.

Coordination with MARSS Student Number Fall 2013.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
L6 - March 1, 2006copyright Thomas Pole 2003-2006, all rights reserved 1 Lecture 6: Software Packaging: Dynamically Integrable Components and Text Ch.

L6 - March 1, 2006copyright Thomas Pole , all rights reserved 1 Lecture 6: Software Packaging: Dynamically Integrable Components and Text Ch.
T RAINING FOR P-C ARD U SERS E FFECTIVE 4/1/2014, YOU WILL LOSE YOUR P - CARD IF YOU VIOLATE PURCHASING OR P - CARD POLICY AND PROCEDURES THREE (3) TIMES.

T RAINING FOR P-C ARD U SERS E FFECTIVE 4/1/2014, YOU WILL LOSE YOUR P - CARD IF YOU VIOLATE PURCHASING OR P - CARD POLICY AND PROCEDURES THREE (3) TIMES.
Security Assessments FITSP-A Module 5

Security Assessments FITSP-A Module 5

Similar presentations

Ads by Google