Enabling Software Assurance for DoD NCW Environments

Transcription

1 Enabling Software Assurance for DoD NCW Environments Bob Stow VP Engineering & Technology BAE Systems Inc 15 February, 2006/Unclassified 1

2 BAE Systems A Leading Defense Company with a Commanding Breadth of Capabilities 2

3 BAE Systems, Inc. Operating Groups BAE Systems, Inc. ELECTRONICS & INTEGRATED SOLUTIONS Electronic Systems and Subsystems for military and commercial applications 19,000 employees $4.5 billion sales 45,000 Employees $10 billion sales CUSTOMER SOLUTIONS LAND & ARMAMENTS Integrated service solutions for the U.S. national security and Federal civilian markets Armored combat vehicles, naval guns and launchers, artillery systems & intelligent munitions. 11,000 employees $3.2 billion sales 14,000 employees $2.4 billion sales Bradley A portfolio of software intensive products and systems supporting customer needs 3

4 A Leader in Science, Technology and Performance Excellence High technology work force Greater than 15,000 engineers 45% operate in CMM 4/5 organizations (industry average 12%) Above industry average investment in R&D and high-tech facilities Productive partnerships with leading educational institutions in the U.S. and UK Established the Center for Performance Excellence to develop, embed and sustain a high-performance culture throughout the Company A record of innovation and technological breakthroughs from the dawn of flight and invention of the radio 4

5 Perspective on Enabling SwA in DoD applications Software assurance (SwA) relates to the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software. Industry leverages a mixture of COTs software with custom developed software for new DoD systems capabilities (e.g. GIG, NCW C4ISR systems) for DoD & Intel. Driven to meet capability needs, affordable costs, and required development schedules. Use of COTs varies from War Fighter systems to DoD Intel back office systems and defines total SwA scope (e.g. DCGS, Intelligence applications, GeoScout, JTRS, etc). Systems and Software closely linked in SwA needs and solutions. Flight Safety Software development (DO178B) applicable to SwA initiatives (e.g. brick wall modular partitioned architectures in operating systems, critical path risk and vulnerability impact analysis, etc) Consider COTs software version updates through trusted providers avoiding direct commercial supplier auto over the net updates for mission critical applications. Commercial software industry driven by their business models not DOD while DOD industry more directly driven by DOD needs in SwA 5

6 Perspective on Enabling SwA in DoD applications SwA depends on execution of a disciplined software development process aimed at minimizing defects with a focus on risk management in applying robust controls with diagnostic testing. Predictable project execution relies on Quantitatively Managed robust systems engineering & software processes ( i.e. CMMI level 4) to control unintentional defects across the supply chain. Both defense and commercial market demands ( faster, better, cheaper year on year) imply the need for Optimizing systems engineering through continuous improvement (i.e. CMMI level 5). Rapid Prototyping coupled with automated SwA testing of COTs and custom software builds mitigate risk of delivered products. Coupled with Modeling and Simulation To vet COTs products in addition to evaluating COTs suppliers To regularly spiral in enhance capability and version upgrades 6

7 Perspective on Enabling SwA in DoD applications Use of architectures provides a layered approach to developing software and spiraling in additional modular capability drops while maintaining SwA. e.g. Use of the SCA as a requirement for Software Defined Radio (SDR) programs like JTRS promotes high levels of re-use throughout the product lifecycle while maintaining SwA. SCA specifies a common distributed, embeddable, object-oriented, language independent, platform-independent framework. SCA specifies common software interfaces. SCA provides a security architecture. Use of Design Patterns and OOA/D, UML, etc. to assure reusable, portable software -- Increases productivity by % OOA/D provides a technology foundation for portable, re-useable software development. UML provides a powerful and expressive common language to capture design principals. Design Patterns provide re-useable concepts. Just as civil architects use pre-defined patterns for different parts of their structures to assure quality, Software Engineers use Communication Oriented Design Patterns to assure high quality and re-useable components. Use Design Patterns for security vulnerability analysis. 7

8 Summary Need a common lexicon and Handbooks in SwA best practice. Apply Risk-Analysis-Test frameworks in development and maintenance of DOD critical software intensive systems. Apply architecture standards, vulnerability analysis, tools and prototyping. Apply disciplined CMMI processes to coupled systems and software development to minimize defects. Identify trusted providers for critical DOD applications. 8