1. Feb 2007 http://www.nodc.noaa.gov/sog 1 Software Development and IT Security at NOAA/NESDIS/NODC John Relph and Ken Casey NOAA National Oceanographic Data Center February 2007

2. Feb 2007 http://www.nodc.noaa.gov/sog 2 Secure Application Design and Implementation Consider security from the start -Treat security as integral part of overall system design -Difficult and costly to add security after implementation Applications must be audited before deployment -Standard practice at NODC and NESDIS -Required by Certification and Accreditation (CnA) Engineer for Simplicity, Reusability, and Modularity -Remove redundancies

3. Feb 2007 http://www.nodc.noaa.gov/sog 3 Follow Standard Practices NIST Special Publication 800-27A -Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST Special Publication 800-53 -Recommended Security Controls for Federal Information Systems Developer Standard Practice -Check all inputs for validity -Prevent input from being interpreted as commands -Buffer overflows, format string errors -Perform peer code reviews

4. Feb 2007 http://www.nodc.noaa.gov/sog 4 Process Improvement How to speed things up? -Perform internal security audits -Include audit history in documentation -Include results of any external audits How to improve the product? -Use standard library to check all user inputs -Separate user interface from internals Achieved with OLFS - BES split?Achieved with OLFS - BES split?