A DHS tool automatically tests and vets government mobile device code prior to release.
A new software tool allows federal agencies to scan mobile device applications for security and accessibility issues prior to publishing them. The automated process allows developers to check their code rapidly against a variety of government guidelines to ensure that new mobile applications keep personnel and their organizations safe from hacking and other malicious outside threats.
Developed by the
Besides security, an important measure is compliance with Section 508 of the Workforce Rehabilitation Act, which requires all federally developed electronic information to be accessible to people with disabilities. If the application meets DHS guidelines, the agencies can publish it. If not, they can make changes based on the dashboard's recommendations and restart the cycle.
According to DHS officials, CarWash allows agencies to reuse or "piggyback" on work done by other agencies, and it helps the DHS directly support the Obama administrations digital government strategy. CarWash is also part of a larger effort by the DHS to embrace open source software to save on information technology-related costs, explains
CarWash began as a pilot program at the DHS, but the broader goal was to make it available to the entire federal government, Capella says. CarWash works by running a series of tests on any potential mobile application that might be used by the DHS. For example, Android or iOS applications would be analyzed for good coding practices. CarWash looks for security holes such as SQL injections or other flaws that might be exploited, he says.
The tool also determines if the most current version of a product is being used. CarWash provides agencies with a series of automated tests and produces feedback as to whether or not the organization has done a good job of coding a particular application, Capella explains. "It gives you everything from coding best practices all the way to security, [section] 508 and other compliance checks," he says.
"This is one of the ways we want to tune up the way we're using open source," Capella adds. But the challenge is not to introduce security holes or other issues while the DHS is trying to make use of these open source mobile platforms. While the program was in the early pilot phase, he notes, CarWash was presented to the federal Chief Information Officers (
CarWash is hosted in the DHS public cloud. It was developed by the DHS in collaboration with the
While it was developing and piloting CarWash, the DHS began a dialogue with vendors about security issues on products and how the tool could best detect them, Capella says. Vendors participated by demonstrating how they could add additional value and security to the code they provide to the DHS and other federal agencies. For example, he notes, one vendor specifically focused on examining modules within the application's code. In this case, it was not simply buying a single open source product-there are objects inside a product that can come from sources that could be security risks. He adds that this particular vendor pointed out that there are pieces of code in a software release that may or may not be the most correct for an agency's mobile application.
Capella is pleased that the vendor community is working to help the DHS and other federal agencies on mobile device security. This is especially important when dealing with open source software, where various modules can come together to form larger components within the environment. An important part of CarWash is to help facilitate the sharing of software modules between agencies to rapidly piece together mobile applications. However, these "greater wholes" can be potential trouble if they are not analyzed and vetted, he adds.
The DHS uses open source software for its public-facing clouds. Capella notes that the department is migrating almost entirely to open source for its public websites. While this move has been very valuable and cost-effective for the agency, it adds security challenges because these products have seams in their security protocols that do not necessarily overlap. "You rarely have a suite that runs the full gamut [of security protocols]," he explains.
It is in this area where the most friction concerning usability and security issues exists, but Capella adds that overall the department is very pleased with using open source software and the options that it provides. Open source allows different software tools to be inserted and swapped rapidly to meet new needs over time. "Were not locked in as we might be with a closed ecosystem, which we prefer. And we certainly prefer the price point," he says.
The DHS also is looking at additional governance tools for mobile applications. Capella notes that the department wants to keep mobile device security as tightly locked down as possible. An important part of this process is ensuring that applications are delivered in a highly secure manner. The department is looking at iOS, which might be more secure in some ways than Android, because of its openness. "Overall, that is our intent, to deploy solutions that support digital government and make accessible more data for the community," he says.
To support this, the DHS wants to bring in more small applications development firms to write software for the government. This is where tools such as CarWash are necessary to vet these applications and to ensure that they do not have Trojan horses or other software issues in them, Capella maintains.
The DHS runs 13 separate clouds, Capella says. Three of these clouds are public-facing, and one of these three is still in the process of being deployed, he adds. The DHS is using a number of management tools to help run these clouds. Department administrators use several open source configuration management tools to help with billing and other routine operations. However, the software composition of the clouds varies, with the external clouds being mostly open source, while the internal clouds are a mixture of both. Capella notes that the blending of open source and proprietary software does not cause many configuration issues.
Additionally, the department relies on legacy applications that may not interact well with open source systems. Because rebuilding these older applications would be prohibitive or impossible, there needs to be an environment for them to operate in, he explains. The department has modified them wherever possible to operate with other systems, but some of these applications "have painted themselves into corners" and cannot operate with other, newer software or middleware. "We have some old software that just can't be patched without breaking the application," he says.
CarWash is part of a broader DHS effort to create a common operating environment hosting a ubiquitous information technology platform that could be upgraded easily without the need for major development or modifications. DHS officials note the department is constructing a Web interface that will allow federal agencies to buy vetted cloud computing services. The purchases will be made via a Web interface designed to promote the rapid development and deployment of Web and mobile services, officials say. "We find open source works for us, both for security, [Section] 508 and other compliance and we intend to continue to push in that direction," Capella states.
To share or comment on this article go to http//:url. afee a. org/12228
Most Popular Stories
- Chinese May Have Spotted Malaysia Airlines Debris
- Why Buffett Bets Big on Green Energy
- 3 Shot Dead in Venezuela Unrest
- Better Pay Means Bigger Profits: Strategist
- Banks Buying Little From Minority Firms: Study
- Several Texas Cities Top Job Search List
- Senate Committee OKs Bill to Sanction Russia
- Wall Street Rally Heads Off 3rd Day of Decline
- G7 Presses Russia to Pull Troops Out of Crimea
- Obama's 'Between Two Ferns' Appearance Has Conservatives Upset