Weapons Free!

Open Source Solutions to Programmatic and Operational Challenges
Faced by the Defense and Intelligence Comm...
Weapons Free
• Weapons Control Status
–

The three levels of weapons control status (WCS) outline the
conditions, based on...
Agenda
• Legal and Policy Basis for
Government Use of Open
Source Software
• Open Source and the Big 5
Government IT Chall...
It Isn’t Shareware.com!
• Many misconceptions about open
source software (OSS); a few
examples:
–
–
–
–

“It’s a security ...
All in the Name of
Liberty

• OSS freedoms:
–
–
–
–

Run the software for any
purpose
Study the software
Modify the softwa...
A Rose by Any Other
Name
• Synonyms
–
–
–
–

Free software
Libre software
Free and open source software
(FOSS)
Free-libre ...
Why SHOULD the
Government Use OSS?
• Lower risk
–

Possibility of detailed evaluation when
you have the source code

• Low...
Comparing GOTS,
Proprietary Software
and OSS
Support
Strategy

Cost

Flexibility

Risks

GOTS

High

High

Become obsolesc...
DoD OSS Policy Memo
(16 OCT 2009)
a. In almost all cases, OSS meets the definition of “commercial
computer software” and s...
DoD OSS Policy Memo
(16 OCT 2009)
e. Software source code and associated design documents
are “data”… and therefore shall ...
Myth: OSS is not Commercial
Software
Reality: OSS is Commercial
• Nearly all OSS are commercial items
• U.S. Law (41 USC 4...
Myth: OSS is not Commercial
Software
Reality: OSS is Commercial
• U.S. Law (41 USC 403), FAR, DFARS
require preference of ...
Myth: OSS Conflicts with DoD
IA Policy
Reality: DoD IA Policy
Supports OSS

• DoDI 8500.2 DCPD-1 "Public Domain Software C...
Myth: Proprietary is Always More Secure
Reality: Open Design is a Security Advantage

• Saltzer & Schroeder [1974/1975] - ...
Myth: Proprietary is Always More Secure
Reality: Open Design is a Security Advantage

• Borland InterBase/Firebird Back Do...
Myth: OSS is Unsupported
Reality: OSS is Commercially
Supported
• Businesses support OSS!
–

WSO2, Red Hat, Novell, HP, IB...
Some US Government OSS
Policies
• OMB policy “Technology Neutrality” (2011-01-07)
–
–

“agencies should analyze alternativ...
The Big 5
• Transformation and Integration of
Legacy Systems
• Integration and Exploitation of
Heterogeneous Data Sources
...
Transformation

Comma
nd
Authorit
y

Routing
System

Targetin
g
System
Proprietary
Message
Format

Unstructure
d

U
S

A
T...
Transformation Solution
Concept
Collapse multiple components into a single,
distributed, service oriented system

Targ
eti...
Transformation Solution
Components
Enterprise Integration
Platform
Transformation Solution
Architecture
Integration of Heterogeneous
Data Sources
Consuming System, Service or Application

WSO2 Data Services Server
(“DAL in a B...
Secure Multilevel Information
Sharing
Optimizing Certification and
Accreditation
Where C&A Fits in the Process Today
Dream
It
Plan It
Build It
Test It
Submit
to...
Optimizing Certification and
Accreditation
Front End Loading C&A
Continuous
Continuous
Deployment
Deployment

Project and
...
Modernizing Verification and
Validation
Modernizing Verification and
Validation
Only the Audience Changes
Continuous
Continuous
Deployment
Deployment

Project and...
It’s a Dangerous Cyber
World, Folks
The Most Dangerous
Threat is Still the Insider
Managing the Insider
Threat
A Quick Recap
• Open source is commercial software
and fully applicable to defense,
intelligence and other government
requ...
Contact
• Adam Firestone
–
–
–
–

Director of Solutions
WSO2 Federal Systems
703-879-5176
adam@wso2federal.com
Thank You
WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and ...
WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and ...
WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and ...
WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and ...
WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and ...
Upcoming SlideShare
Loading in …5
×

WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and Intelligence Communities in the Age of Sequestration

354 views
213 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
354
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

WSO2Con US 2013 - Weapons Free: Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and Intelligence Communities in the Age of Sequestration

  1. 1. Weapons Free! Open Source Solutions to Programmatic and Operational Challenges Faced by the Defense and Intelligence Communities in the Age of Sequestration Prepared for WSO2Con 2013 Prepared by Adam Firestone Director of Solutions WSO2 Federal Systems, Inc.
  2. 2. Weapons Free • Weapons Control Status – The three levels of weapons control status (WCS) outline the conditions, based on target identification criteria, under which friendly elements may engage. The commander sets and adjusts the weapons control status based on friendly and enemy disposition. In general, a more restrictive WCS relates to a higher probability of fratricide. The three levels, in descending order of restriction, are-● ● ● WEAPONS HOLD (Engage only if engaged or ordered to engage) WEAPONS TIGHT (Engage only targets positively identified as enemy) WEAPONS FREE (Engage any targets not positively identified as friendly) • From US Army Field Manual 3-21.10
  3. 3. Agenda • Legal and Policy Basis for Government Use of Open Source Software • Open Source and the Big 5 Government IT Challenges • Open Source Cybersecurity
  4. 4. It Isn’t Shareware.com! • Many misconceptions about open source software (OSS); a few examples: – – – – “It’s a security risk.” “I need a commercial product. This isn’t commercial!” “It’s a threat to innovation!” “The use of OSS is contrary to DoD information assurance regulations.”
  5. 5. All in the Name of Liberty • OSS freedoms: – – – – Run the software for any purpose Study the software Modify the software Freely redistribute copies of the original or modified software without royalties to the original author
  6. 6. A Rose by Any Other Name • Synonyms – – – – Free software Libre software Free and open source software (FOSS) Free-libre open source software (FLOSS) • Antonyms – – Proprietary software Closed software
  7. 7. Why SHOULD the Government Use OSS? • Lower risk – Possibility of detailed evaluation when you have the source code • Lower TCO – – – Freely distributable at no additional cost Shared development costs Freedom from vendor lock-in • Fit for purpose – Can be modified for special purposes and to counter attacks
  8. 8. Comparing GOTS, Proprietary Software and OSS Support Strategy Cost Flexibility Risks GOTS High High Become obsolescent (government bears all costs & can’t afford them) Proprietary Medium Low * Abandonment & *high cost if monopoly OSS Low* * Can be as costly as GOTS if fail to build/work with developer community High
  9. 9. DoD OSS Policy Memo (16 OCT 2009) a. In almost all cases, OSS meets the definition of “commercial computer software” and shall be given appropriate statutory preference in accordance with 10 USC 2377… b. Executive agencies, including the DoD, are required to conduct market research [which should] include OSS… There are positive aspects of OSS that should be considered… c. DoDI8500.2 control “DCPD-1 Public Domain Software Controls,” doesn’t forbid the use of OSS d. Ensure that the plan for software support (e.g., commercial or Government program office support) is adequate for mission need. e. Government is not always obligated to distribute the source code of any modified OSS to the public
  10. 10. DoD OSS Policy Memo (16 OCT 2009) e. Software source code and associated design documents are “data”… and therefore shall be shared across the DoD as widely as possible f. Software items, including code fixes and enhancements, developed for the Government should be released to the public (such as under an open source license) when: – – – The project manager, program manager, or other comparable official determines that it is in the Government’s interest to do so, such as through the expectation of future enhancements by others. The Government has the rights to reproduce and release the item, and to authorize others to do so. The public release of the item is not restricted by other law or regulation
  11. 11. Myth: OSS is not Commercial Software Reality: OSS is Commercial • Nearly all OSS are commercial items • U.S. Law (41 USC 403), FAR, & DFARS – Commercial item is: ● (1) Any item, other than real property, that is of a type customarily used by the general public or by non-governmental entities for purposes [not government-unique], and – – – (i) Has been sold, leased, or licensed to the general public; or (ii) Has been offered for sale, lease, or license to the general public... Intentionally broad; "enables the Government to take greater advantage of the commercial marketplace” [DoD AT&L]
  12. 12. Myth: OSS is not Commercial Software Reality: OSS is Commercial • U.S. Law (41 USC 403), FAR, DFARS require preference of commercial items (inc. COTS) & NDI: – Agencies must ● (a) Conduct market research to determine [if] commercial items or nondevelopmental items are available … ● (b) Acquire [them when available] ● (c) Require prime contractors and subcontractors at all tiers to incorporate, to the maximum extent practicable, [them] as
  13. 13. Myth: OSS Conflicts with DoD IA Policy Reality: DoD IA Policy Supports OSS • DoDI 8500.2 DCPD-1 "Public Domain Software Controls” is often misinterpreted – – People read THIS: ● “Binary or machine executable ... software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not [to be] used in DoD information systems ...” But forget to read the SECOND PARAGRAPH ● “[because they’re] difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government.” • Doesn’t apply to OSS! The source code is available!
  14. 14. Myth: Proprietary is Always More Secure Reality: Open Design is a Security Advantage • Saltzer & Schroeder [1974/1975] - Open design principle – the protection mechanism must not depend on attacker ignorance • Security by obscurity doesn’t halt attacks; thorough review makes code more secure • BUT – – – OSS developers/reviewers need security knowledge The code must be reviewed Problems must be fixed
  15. 15. Myth: Proprietary is Always More Secure Reality: Open Design is a Security Advantage • Borland InterBase/Firebird Back Door – – – – user: politically, password: correct Hidden for 7 years in proprietary product Found after release as OSS in 5 months Unclear if malicious, but has its form
  16. 16. Myth: OSS is Unsupported Reality: OSS is Commercially Supported • Businesses support OSS! – WSO2, Red Hat, Novell, HP, IBM, DMSolutions, SourceLabs, OpenLogic, Carahsoft, ... • Average OSS developer 30yrs old, 11yrs experience • OSS doe not mean no cost – – Training, support, transition, etc. are not free-of-cost Competition often produces lower TCO & higher ROI for OSS
  17. 17. Some US Government OSS Policies • OMB policy “Technology Neutrality” (2011-01-07) – – “agencies should analyze alternatives that include… open source” Updates OMB-04-16 (2004-07-01) = OSS okay in federal government • DOD policy “Clarifying guidance regarding Open Source Software (OSS)” + FAQ (2009-10-16) – – Makes clear OSS can be used, counters misconceptions Updates May 2003 memo • Consumer Financial Protection Bureau’s Source Code Policy – – – Released 2012-04, reuses DoD 2009 policy Two parts, “use of external OSS” & “Redistribution” http://www.consumerfinance.gov/developers/sourcec odepolicy/ • cendi.gov, e.g., “Frequently Asked Questions about Copyright and Computer Software” http://www.cendi.gov/publications/09-1FAQ_OpenSo
  18. 18. The Big 5 • Transformation and Integration of Legacy Systems • Integration and Exploitation of Heterogeneous Data Sources • Secure Multi-Level Information Sharing • Optimizing Certification and Accreditation Activities • Modernization and Automation of Software Verification and Validation
  19. 19. Transformation Comma nd Authorit y Routing System Targetin g System Proprietary Message Format Unstructure d U S A T S Weapon N U 22 Proprietary Message Format N I B A E L Plannin g System Proprietary Message Format Delivery Platform Proprietar y Message Format
  20. 20. Transformation Solution Concept Collapse multiple components into a single, distributed, service oriented system Targ etin g App Rou ting App Thr eat Anal ysis App Miss ion Plan ning App ISR App Task ing APP Enterprise Integration Platform
  21. 21. Transformation Solution Components Enterprise Integration Platform
  22. 22. Transformation Solution Architecture
  23. 23. Integration of Heterogeneous Data Sources Consuming System, Service or Application WSO2 Data Services Server (“DAL in a Box”) HTTP HTTPS JMS SMTP FTP FTPS SFTP TCP SQL NoSQ L CS V OD S RD F We b Pag e
  24. 24. Secure Multilevel Information Sharing
  25. 25. Optimizing Certification and Accreditation Where C&A Fits in the Process Today Dream It Plan It Build It Test It Submit to C&A PANIC! PANIC! Receive C&A Results Spend Lots of $ and Time
  26. 26. Optimizing Certification and Accreditation Front End Loading C&A Continuous Continuous Deployment Deployment Project and Project and Team Team Management Management Software Software development workflow workflow Governance Governance and and Compliance Compliance Test Test Automation Automation Continuous Integration Integration Development Dashboards Dashboards Continuous Continuous Build Build Develop Code Source Control Source Control Issue Tracking Issue Tracking
  27. 27. Modernizing Verification and Validation
  28. 28. Modernizing Verification and Validation Only the Audience Changes Continuous Continuous Deployment Deployment Project and Project and Team Team Management Management Software Software development workflow workflow Governance Governance and and Compliance Compliance Test Test Automation Automation Continuous Integration Integration Development Dashboards Dashboards Continuous Continuous Build Build Develop Code Source Control Source Control Issue Tracking Issue Tracking
  29. 29. It’s a Dangerous Cyber World, Folks
  30. 30. The Most Dangerous Threat is Still the Insider
  31. 31. Managing the Insider Threat
  32. 32. A Quick Recap • Open source is commercial software and fully applicable to defense, intelligence and other government requirements • Open source effectively responds to today’s top government IT challenges • Open source can mitigate today’s key cybersecurity threats
  33. 33. Contact • Adam Firestone – – – – Director of Solutions WSO2 Federal Systems 703-879-5176 adam@wso2federal.com
  34. 34. Thank You

×