Certification & Accreditation for Your Open Government Applications

Chuck D’Antonio and Jason Ingalls

Acquia Introduction

Drupal expertiseDrupal expertise

Enterprise software Enterprise software and government and government services services experienceexperience

60+ employees60+ employees

Acquia, the Enterprise Guide to Drupal

Web Application Web Application Development Development SecuritySecurity

Security TestingSecurity Testing

Incident ResponseIncident Response

GDIT, Information Assurance Experts

© 2009 Acquia, Inc.

Help! I need to C&A my Drupal site!How do I assure How do I assure trust in Open Source trust in Open Source software?software?

Will I need a new set Will I need a new set of processes and of processes and controls?controls?

What resources are What resources are available to me?available to me?

© 2009 Acquia, Inc.

Myths of Drupal & Open Source Security

PHP is less secure PHP is less secure than ... than ...

Open Source is easier to Open Source is easier to attackattack

Lack of resources such Lack of resources such documentation and documentation and versioning information versioning information for Open Source for Open Source 

There aren’t a lot of C&A There aren’t a lot of C&A resources availableresources available

© 2009 Acquia, Inc.

Myths of Drupal & Open Source Security

PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out there. Security is a out there. Security is a process, not a product.process, not a product.

© 2009 Acquia, Inc.

Myths of Drupal & Open Source Security

PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out thereout there

Open Source means Open Source means massive collaboration, massive collaboration, high visibility, and a high visibility, and a large pool of resources large pool of resources for vulnerability for vulnerability discovery and discovery and remediationremediation

© 2009 Acquia, Inc.

Myths of Drupal & Open Source Security

PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out thereout there

Open Source means Open Source means massive collaboration, massive collaboration, high visibility, and a high visibility, and a large pool of resources large pool of resources for vulnerability for vulnerability discovery and discovery and remediation. remediation. 

Documentation exists for Documentation exists for Open Source in many Open Source in many different forms, not different forms, not necessarily what could necessarily what could be considered traditional be considered traditional knowledge bases knowledge bases 

© 2009 Acquia, Inc.

Myths of Drupal & Open Source Security

PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out thereout there

Open Source means Open Source means massive collaboration, massive collaboration, high visibility, and a high visibility, and a large pool of resources large pool of resources for vulnerability for vulnerability discovery and discovery and remediation. remediation. 

Documentation exists for Documentation exists for Open Source in many Open Source in many different forms, not different forms, not necessarily what could necessarily what could be considered traditional be considered traditional knowledge basesknowledge bases

Publications from NSA, Publications from NSA, DISA, etc. DISA, etc. 

© 2009 Acquia, Inc.

Components of a successful C&A packetSystem boundariesSystem boundaries

Security Security CategorizationCategorization

Risk AnalysisRisk Analysis

System Security System Security PlanPlan

System Test and System Test and EvaluationEvaluation

Plan of Action and Plan of Action and MilestonesMilestones

C&A Tools and Processes

Make your C&A packet Make your C&A packet work for youwork for you

Integrate reviews Integrate reviews early in your system early in your system lifecyclelifecycle

Use a mix of tools to Use a mix of tools to validate your controlsvalidate your controls

Coding standardsCoding standards

Code analysisCode analysis

Functional testsFunctional tests

ScannersScanners

FuzzersFuzzers

Leverage available Leverage available informationinformation

Our collaborative approach to C&A

Incorporate security Incorporate security expertise into your expertise into your development teamdevelopment team

Collaborate on Collaborate on controls and controls and remediationremediation

Include C&A Include C&A activities in your activities in your project milestonesproject milestones

Address security Address security issues with each issues with each development development iterationiteration

Developing the right controls

Don’t over engineer Don’t over engineer your controlsyour controls

Leverage your Leverage your existing policies & existing policies & proceduresprocedures

Focus on the entire Focus on the entire systemsystem

Define validation Define validation plans in parallel with plans in parallel with controlscontrols

Take advantage of Take advantage of the Drupal the Drupal communitycommunity

Take advantage of available support

Community security Community security patches and bulletinspatches and bulletins

Clear processes for Clear processes for addressing addressing vulnerabilitiesvulnerabilities

Commercial vendorsCommercial vendors

Formal channels to Formal channels to report and resolve report and resolve issuesissues

Guaranteed levels Guaranteed levels of responseof response

Addresses many of Addresses many of the concerns of the the concerns of the C&A processC&A process

Bringing the process to completion

Verify Verify

Ensure your Ensure your statements have statements have been demonstrated been demonstrated

Review Review

Fix those errors! Fix those errors!

Finalize Finalize

Get sign off by Get sign off by process owners process owners Submit Submit

Maintain recordsMaintain records

Obtaining your ATO

Launch Launch

Follow the POA&M Follow the POA&M

Maintain the Packet Maintain the Packet

Ensure compliance Ensure compliance

Perform reviewsPerform reviews

Questions and More Information

For more information, visit us For more information, visit us at:at:

http://acquia.comhttp://acquia.com

http://twitter.com/acquiagovhttp://twitter.com/acquiagov

Contact Acquia:Contact Acquia:

sales@acquia.comsales@acquia.com

888-9-ACQUIA888-9-ACQUIA

Contact presenters:Contact presenters:

chuck@acquia.comchuck@acquia.com

jason.ingalls@gdit.comjason.ingalls@gdit.com

For additional Open For additional Open Government resources, visit:Government resources, visit:

http://acquia.com/http://acquia.com/governmentgovernment

Sign up for a free 30-day Acquia Sign up for a free 30-day Acquia Network trialNetwork trial

http://acquia.com/trialhttp://acquia.com/trial