This article originally appeared in the NASA Secure Coding, Volume 1, Number 1 (NASA Only). NASA Secure Coding is a new publication produced by NASA’s Office of the Chief Information Officer and NASA’s Independent Validation and Verification Program; it is hosted on the NASA Engineering Network. The newsletter focuses on NASA mission software security and vulnerabilities or Common Weakness Enumerations that are affecting NASA ground and flight missions during operations or in development.
NASA’s Office of the Chief Information Officer (OCIO) and Independent Verification and Validation (IV&V) Program are very pleased to announce the release of the “Secure Coding Portal (SCP)” as a subcommunity on the NASA Engineering Network! This portal provides information to software developers on how to develop code in a secure fashion. It is a single touch point for learning about the rules, guidelines, tools, resources, and requirements for coding securely. In addition to the portal, future editions of this Secure Coding Newsletter will be developed and distributed.
“What is secure coding?”
Secure coding is the art of writing software that is impervious, or at the very least much less vulnerable, to attack by malicious people or programs. Secure coding helps protect a program’s data from theft or corruption. An insecure program can provide access for an attacker to take control of ground and/or flight systems, resulting in anything from a denial of service to the compromise of information or severe damage to the system, leading to failure of the mission. Knowing how to write code securely is important for all types of software in all types of environments.
The SCP team at NASA’s IV&V Program has been working on collecting and housing content and tools that should be of great use to developers looking to improve the overall security posture of their software. The SCP team has partnered with industry experts and authors to develop a custom tutorial in Secure Coding that is on the SCP.
Those who complete the Secure Coding and Standards tutorial will learn about high impact risks to an organization and to its systems and missions caused by existing and emerging threats. Software developers will learn how to mitigate these risks by developing secure software systems. In particular, developers will learn how to securely develop code in the Java, C, and C++ programming languages, how to apply secure coding standards to the development of software systems, and how to apply defense-in-depth mitigation strategies to eliminate software vulnerabilities. Developers will also be introduced to a broad range of secure coding practices across the software development lifecycle that can improve the security of deployed systems. Completing this tutorial will give developers the confidence to begin coding securely in C, C++, and Java and provide them with pointers to important resources to further advance their knowledge of secure coding.
In addition to the custom tutorial, the SCP also includes:
- Secure Coding Discussion Forum – providing a friendly environment to discuss all aspects of Secure Coding with fellow engineers and our experts.
- Vulnerability Updates - containing information about the latest software vulnerabilities and any insight into what systems, or types of systems, could be affected along with how to detect and mitigate these vulnerabilities.
- Tools – containing information about tools utilized by NASA for security analysis of software, including references, and any relative insight/lessons learned from NASA practitioners.
- Links – containing references to security standards, documentation, and information.
- Videos – containing relevant educational videos on secure coding topics.
- Ask an Expert – providing the ability for any community member to request assistance from field experts.
The SCP team hopes the information contained within the Secure Coding Portal, and within these newsletters, will be of great value to developers. For any questions, comments, or suggestions feel free to reach out to one of our team members. The SCP team’s contact information can be found here.