- Acquisitions staffing reform;
- Baked in INFOSEC;
- Automated auditing and monitoring; and
- The use of open source software.
Acquisitions Staffing Reform
- Requirements stemming from authoritative laws, regulations, policies and guidance (LRPG);
- A DoD-wide library of modular, standards-based, approved INFOSEC implementation patterns; and
- DevOps principles of continuous integration and automated testing.
Open source software has an added security benefit that is particularly compelling. Specifically, open design and source code enable broad based, detailed code inspection and the rapid detection of both flaws and threats. The idea that proprietary software is more secure because the source code is hidden just doesn’t stand up to scrutiny. NIST’s selection of the Rijndael block cipher as the Advanced Encryption Standard (AES) in 2000 followed a nearly three year process in which a number of algorithms were publicly discussed, debated and cryptanalyzed. In another case, Borland published and widely sold the InterBase database for seven years. In 2000, InterBase was open-sourced as the Firebird project. Within five months of the product being open sourced, a hard coded backdoor (username “politically,” password “correct”) was discovered.