Any Tool. Any Scale. Any Time.
We sat down with Joe Jarzombek to discuss “The Cost of Poor Software Quality in the U.S.: A 2020 Report” and its implications for aerospace and defense organizations. Jarzombek is the director of government and critical infrastructure programs at Synopsys and a certified secure software life cycle professional. He has 30+ years of experience with defense agencies, military services, and the defense industry. A retired U.S. Air Force Lt. Colonel, he served in U.S. space programs, electronic warfare, and aerospace-embedded computer resources. He later served in the U.S. Office of the Secretary of Defense (OSD) and in the U.S. Department of Homeland Security (DHS). He also serves on standards bodies and the Governing Board of the Consortium for Information and Software Quality (CISQ).
Aerospace and defense must address mission-assurance needs, which requires an outcome-based focus on software assurance and cyber security. Standards convey expectations and establish quantifiable metrics. For operational needs, they automate the collection and reporting of standards-based measures, especially in a DevSecOps environment. However, many relevant standards are often underused.
For example, standards and guidelines need contractual specification and use, especially for high-assurance applications. To address this, the Department of Defense (DOD) Software Assurance Community of Practice developed key guidance called “Incorporating Software Assurance into DOD Acquisition Contracts.” But it remains underused.
To counter the potential effects of cyber attacks and to protect cyber capabilities, DOD missions must focus heavily on prevention by using relevant standards and guidelines to mitigate exploitable weaknesses and vulnerabilities in software before deployment. Cyber assets must be reliable and have near-continuous availability. Defense systems must be hardened against the risk exposures from exploitable flaws in component design
Given the complexity of aerospace and defense systems, it is extremely important that acquisition programs require a software Bill of Materials (SBOM) in all procured cyber assets. Prevention and protection start with knowing what's in your cyber assets. An SBOM enables faster response to the changing threat environment because it helps to identify where a new threat impacts the enterprise and deployed systems. Without it, you won’t know if or where your mission capabilities might have been compromised.
The Consortium for Information and Software Quality (CISQ) is an industry leadership group that develops international standards for automating the measurement of software size and structural quality from the source code, which is needed for software assurance. CISQ standards enable organizations developing or acquiring software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership. CISQ was cofounded by the Object Management Group (OMG) and Software Engineering Institute (SEI) at Carnegie Mellon University, and Synopsys is one of the sponsoring companies.
CISQ developed the Automated Source Code Data Protection Measure (ASCDPM) based on a collection of relevant software weaknesses from the Common Weakness Enumeration (CWE) repository. DevSecOps teams can use the ASCDPM in application security testing to reveal source vectors for data leakage or data corruption, as well as indicators for non-compliance with respective data protection/privacy guidelines. If organizations are using software running as part of a network-connected asset that contains one or more of these CWEs, then the organizational enterprise is at risk of not being conformant with data protection requirements. That’s why this complements the Cybersecurity Maturity Model Certification (CMMC), which is based primarily on the National Institute of Standards and Technology (NIST) special publication (SP), NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems.
Before the CMMC, contractors had to implement, monitor, and certify the security of their information technology (IT) systems and any sensitive information stored on or transmitted by those systems without a framework. Contractors must still implement critical cyber security requirements, but the CMMC third-party compliance framework includes mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats.
Although many DOD contracts require CMMC, it’s available to any company or agency with the need for data protection. It helps alleviate security-conscious data protection concerns associated with many sectors including healthcare, financial services, automotive, energy, and telecommunications, as well as in cross-sector-enabling technologies like data centers and the Internet of Things (IoT).
This data protection measure is relevant to guidelines associated with privacy and data protection laws and regulations such as the CMMC, Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA). The Automated Source Code Data Protection Measure spotlights the relevance of CWEs for enterprises seeking to comply with regulatory guidance associated with data protection and privacy. Many organizations undergo process assessments associated with the CMMC, GDPR, and CCPA, as well as information security standards like ISO 27001, NIST SP 800-53, and NIST SP 800-171.
In addition to the Automated Source Code Data Protection Measure, a joint working group of CISQ and OMG is developing a Tool-to-Tool Software Bill of Materials Exchange with the objective of creating a standard that defines an SBOM. And the Architecture and Flow Measures for Modernization and DevOps Pipelines working group is developing international standards for a new generation of software measures targeted at DevOps and modernization.
CISQ also published “The Cost of Poor Software Quality (CPSQ) in the U.S.: A 2020 Report,” which quantifies the impact of poor software quality on the U.S. economy, referencing publicly available source material.
Software quality is described in relevant standards such as ISO/IEC 25010 that recognize security as a characteristic of software quality. Key findings from CPSQ report include:
A key implication of the findings is that software developers spend more time sustaining engineering and responding to cyber events than on developing new innovations and resisting zero-day attacks.
The findings apply to government, defense, and aerospace because the technical debt from poor software quality hampers delivery of new capabilities. Like other parts of industry and government, the defense industrial base spends more time and effort correcting technical debt than on proactive, creative, or preventive work—which has a cost to society even greater than the numbers listed in the CPSQ report and makes up a significant portion of the annual gross domestic product
Software quality and security are about addressing the needs for mission assurance, which requires an outcome-based focus on software assurance and cyber security throughout the life cycle. To scale and respond to operational needs while reducing technical debt, aerospace and defense organizations must automate the collection and reporting of standards-based measures, especially in a DevQualOps or DevSecOps environment
The primary recommendation is to reduce the cost of quality and deliver new capabilities faster. One way to do this is by “shifting left”—performing security activities earlier in the software development life cycle (SDLC). To reduce software failures, developers and DevSecOps teams should:
Another recommendation is to benchmark against peer organizations using the Synopsys “DevSecOps Practices and Open Source Software Management 2020” report. The recommendations of that report include:
The CPSQ report also recommends overcoming the “lack of understanding of internal functionality” in legacy systems by identifying weaknesses, vulnerabilities, failure symptoms, defects, and improvement targets:
In addition, the CPSQ report recommends employing quality practices:
The final recommendation is to automate quality in workflows by using tools with “security domain checkers under the hood” that enable organizations to select tools and services for their continuous integration/continuous development (CI/CD) pipeline. Synopsys offers quality tools and services to automate software development.
Synopsys offers quality tools and services to ‘shift left’ and automate quality software development: