1:1 with Joe Jarzombek

Picture of Joe Jarzombek

Reducing costs with software quality and security by gaining compliance

We sat down with Joe Jarzombek to discuss “The Cost of Poor Software Quality in the U.S.: A 2020 Report” and its implications for aerospace and defense organizations. Jarzombek is the director of government and critical infrastructure programs at Synopsys and a certified secure software life cycle professional. He has 30+ years of experience with defense agencies, military services, and the defense industry. A retired U.S. Air Force Lt. Colonel, he served in U.S. space programs, electronic warfare, and aerospace-embedded computer resources. He later served in the U.S. Office of the Secretary of Defense (OSD) and in the U.S. Department of Homeland Security (DHS). He also serves on standards bodies and the Governing Board of the Consortium for Information and Software Quality (CISQ).

Q: How do you see the role of standards, guidelines, and contracts relative to software assurance and cyber security certifications?

Aerospace and defense must address mission-assurance needs, which requires an outcome-based focus on software assurance and cyber security. Standards convey expectations and establish quantifiable metrics. For operational needs, they automate the collection and reporting of standards-based measures, especially in a DevSecOps environment. However, many relevant standards are often underused.

 

For example, standards and guidelines need contractual specification and use, especially for high-assurance applications. To address this, the Department of Defense (DOD) Software Assurance Community of Practice developed key guidance called “Incorporating Software Assurance into DOD Acquisition Contracts.” But it remains underused.

To counter the potential effects of cyber attacks and to protect cyber capabilities, DOD missions must focus heavily on prevention by using relevant standards and guidelines to mitigate exploitable weaknesses and vulnerabilities in software before deployment. Cyber assets must be reliable and have near-continuous availability. Defense systems must be hardened against the risk exposures from exploitable flaws in component design

Q: How does a software Bill of Materials contribute to software security?

Given the complexity of aerospace and defense systems, it is extremely important that acquisition programs require a software Bill of Materials (SBOM) in all procured cyber assets. Prevention and protection start with knowing what's in your cyber assets. An SBOM enables faster response to the changing threat environment because it helps to identify where a new threat impacts the enterprise and deployed systems. Without it, you won’t know if or where your mission capabilities might have been compromised.

Q: What is CISQ?

The Consortium for Information and Software Quality (CISQ) is an industry leadership group that develops international standards for automating the measurement of software size and structural quality from the source code, which is needed for software assurance. CISQ standards enable organizations developing or acquiring software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership. CISQ was cofounded by the Object Management Group (OMG) and Software Engineering Institute (SEI) at Carnegie Mellon University, and Synopsys is one of the sponsoring companies.

 

Q: How does CISQ contribute to software assurance and cyber security standards, including those that address data protection?

CISQ developed the Automated Source Code Data Protection Measure (ASCDPM) based on a collection of relevant software weaknesses from the Common Weakness Enumeration (CWE) repository. DevSecOps teams can use the ASCDPM in application security testing to reveal source vectors for data leakage or data corruption, as well as indicators for non-compliance with respective data protection/privacy guidelines. If organizations are using software running as part of a network-connected asset that contains one or more of these CWEs, then the organizational enterprise is at risk of not being conformant with data protection requirements. That’s why this complements the Cybersecurity Maturity Model Certification (CMMC), which is based primarily on the National Institute of Standards and Technology (NIST) special publication (SP), NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems. 

Before the CMMC, contractors had to implement, monitor, and certify the security of their information technology (IT) systems and any sensitive information stored on or transmitted by those systems without a framework. Contractors must still implement critical cyber security requirements, but the CMMC third-party compliance framework includes mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats. 

Although many DOD contracts require CMMC, it’s available to any company or agency with the need for data protection. It helps alleviate security-conscious data protection concerns associated with many sectors including healthcare, financial services, automotive, energy, and telecommunications, as well as in cross-sector-enabling technologies like data centers and the Internet of Things (IoT). 

Q: Is this only relevant to aerospace and defense?

This data protection measure is relevant to guidelines associated with privacy and data protection laws and regulations such as the CMMC, Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA). The Automated Source Code Data Protection Measure spotlights the relevance of CWEs for enterprises seeking to comply with regulatory guidance associated with data protection and privacy. Many organizations undergo process assessments associated with the CMMC, GDPR, and CCPA, as well as information security standards like ISO 27001, NIST SP 800-53, and NIST SP 800-171.

Q: What other projects is CISQ involved with that are of interest to the aerospace and defense community?

In addition to the Automated Source Code Data Protection Measure, a joint working group of CISQ and OMG is developing a Tool-to-Tool Software Bill of Materials Exchange with the objective of creating a standard that defines an SBOM. And the Architecture and Flow Measures for Modernization and DevOps Pipelines working group is developing international standards for a new generation of software measures targeted at DevOps and modernization.

CISQ also published “The Cost of Poor Software Quality (CPSQ) in the U.S.: A 2020 Report,” which quantifies the impact of poor software quality on the U.S. economy, referencing publicly available source material.

Q: What are the key takeaways from the CPSQ report that are applicable to aerospace and defense?

Software quality is described in relevant standards such as ISO/IEC 25010 that recognize security as a characteristic of software quality. Key findings from CPSQ report include:

  • Operational software failure is the leading driver of the CPSQ, estimated at US$1.56 trillion annually (a 22% increase since 2018).
  • Unsuccessful development projects, the next-largest growth area of the CPSQ, is estimated at US$260 billion.
  • The CPSQ for legacy system problems was estimated at US$520 billion.

A key implication of the findings is that software developers spend more time sustaining engineering and responding to cyber events than on developing new innovations and resisting zero-day attacks.

The findings apply to government, defense, and aerospace because the technical debt from poor software quality hampers delivery of new capabilities. Like other parts of industry and government, the defense industrial base spends more time and effort correcting technical debt than on proactive, creative, or preventive work—which has a cost to society even greater than the numbers listed in the CPSQ report and makes up a significant portion of the annual gross domestic product

Q: What changes do you recommend for the aerospace and defense industry?

Software quality and security are about addressing the needs for mission assurance, which requires an outcome-based focus on software assurance and cyber security throughout the life cycle. To scale and respond to operational needs while reducing technical debt, aerospace and defense organizations must automate the collection and reporting of standards-based measures, especially in a DevQualOps or DevSecOps environment

Reduce the cost of quality and deliver new capabilities faster

The primary recommendation is to reduce the cost of quality and deliver new capabilities faster. One way to do this is by “shifting left”—performing security activities earlier in the software development life cycle (SDLC). To reduce software failures, developers and DevSecOps teams should:

  • Address security as part of quality defect prevention
  • Automate quality in workflows by using tools with security domain checkers
  • Understand how key CWEs and CVEs are exploited to turn a weakness into a vulnerability
  • Minimize failures by mitigating weaknesses (CWEs) and vulnerabilities/exposures (CVEs)
  • Leverage the CISQ Automated Source Code Data Protection Measure
  • Minimize risks attributable to open source software modules and libraries
Benchmark against peer organizations

Another recommendation is to benchmark against peer organizations using the Synopsys “DevSecOps Practices and Open Source Software Management 2020” report. The recommendations of that report include:

  • Use DevSecOps tools.
  • Secure the entire SDLC.
  • Manage open source code selection, governance, security, patching, and sustainability.
Identify weaknesses, vulnerabilities, failure symptoms, defects, and improvement targets

The CPSQ report also recommends overcoming the “lack of understanding of internal functionality” in legacy systems by identifying weaknesses, vulnerabilities, failure symptoms, defects, and improvement targets:

  • Rehost to move systems from the mainframe to the cloud.
  • Replatform to speed code execution on new hardware.
  • Refactor to reduce technical debt and future failures.
  • Create SBOMs for all network-connected assets to enable resiliency in a changing threat environment.
  • Use relevant standards such as ISO/IEC 25010 and the OMG Automated Source Code Quality Measures from CISQ.
Employ quality practices

In addition, the CPSQ report recommends employing quality practices:

  • Prioritize needs and requirements.
  • Control scope changes and minimize complexity.
  • Plan for defect fixing and refactoring.
  • Establish rigorous quality gates.
  • Test components early and often.
  • Invest in quality engineering tools.
Automate quality in workflows

The final recommendation is to automate quality in workflows by using tools with “security domain checkers under the hood” that enable organizations to select tools and services for their continuous integration/continuous development (CI/CD) pipeline. Synopsys offers quality tools and services to automate software development.

Synopsys offers quality tools and services to ‘shift left’ and automate quality software development:

Q: Where can readers go to learn more?