“HP Fortify offered a comprehensive application security approach that included detection and protection capabilities in a single package. In addition to HP Fortify SCA, we realized the power of dynamic analysis for an application that is up and running, which TAMIS clearly is.” – Bob Torche, TAMIS Project Manager, U.S. Army

TAMIS is the web-enabled application used by the U.S. Army to manage munitions for wartime, training, and testing operations across the U.S. Armed Forces. Previously, the DoD’s approach to IT security had been network-centric, with little attention given to vulnerabilities in its software applications. But, as part of an overarching “Net-Centric Data Strategy,” the Army selected HP Fortify as its application security solution provider in order to ensure training superiority and achieve readiness objectives.

Case study

Ready, Aim, HP Fortify!U.S. Army deploys application security regimen for munitions system

IndustryPublic sector

ObjectiveIdentify and eliminate vulnerabilities in the munitions management software application in order to ensure training superiority and achieve readiness objectives

ApproachUse HP Fortify software to help prevent attacks to the TAMIS system by accurately measuring the security risk level and fixing application vulnerabilities

IT matters• Identified the TAMIS application’s risk profile

• Reduced risk for the TAMIS project, within its funding and resource level

Business matters• Effected a cultural shift in the TAMIS development

process

• Established a development lifecycle approach to software security

• Enhanced the U.S. Army’s security posture with a higher level of confidence

2

Case study | TAMIS

The Total Ammunition Management Information System (TAMIS) is the U.S. Army application that manages conventional munitions for wartime, training, and testing operations across the U.S. Armed Forces—the Army, Marine Corps, and National Guard, as well as the Navy and Air Force when operating on Army installations.

TAMIS handles approximately 350,000 ammunition transactions per month from units located all around the world, supporting more than 7,000 authorized personnel who request, approve, and manage munitions. The web-enabled system calculates combat load requirements, validates and routes electronic requests, collects expenditures, and prepares forecasts. More than 50,000 munitions reports are generated each month on the nearly $3 billion in conventional ammunition authorizations managed each year.

The primary objectives of TAMIS are to improve munitions governance and to provide military personnel with essential analytical tools that enable a trained and ready armed force. The TAMIS application supports the Army’s training and operational strategies by providing an essential web-enabled capability throughout all phases of the military’s spectrum of operations. Employing a design structured for centralized management and decentralized execution, the system develops, calculates, and prioritizes requirements, ensures requisition and authorization data is accurate, and then makes this information available and usable on demand to authorized users without wait time.

TAMIS is managed by the Department of the Army G-37, Munitions Management Division. Maintaining training superiority and achieving readiness objectives required the Army to transform its business practices and information management processes as part of the overarching “Net-Centric Data Strategy” of the U.S. Department of Defense (DoD). TAMIS is not a new system. It was originally launched on a mainframe, migrated to Windows NT, and then to its present browser-driven application environment.

TAMIS operates in the Mission Assurance Category II sensitive level. As a result, much time and effort has been devoted to TAMIS development and network “hardening” solutions designed to prevent attacks against the application. However, application security wasn’t always the highest priority for the TAMIS development team over the years,

between rolling deadlines and user demands for new features. Eliminating vulnerabilities was regarded as a task best performed in the testing phase or at the end of development, if at all.

The Mission: A Holistic Approach to Software Risk ManagementBefore the TAMIS application security project, few in the wider U.S. Army community were thinking seriously about application security. While IT security as a practice has always been “non-negotiable” in matters of national security, the approach had been largely network-centric and had given little attention to software vulnerabilities present in many of the applications already in use throughout the DoD. The two bodies responsible for TAMIS network security included the U.S. Army Information Management Center, responsible for intrusion detection and firewalls, and the Pentagon’s Vulnerability Assessment Branch, which periodically scans Army servers for necessary updates and fixes.

On the other hand, application code review was still manual and labor intensive, with few resources directed to application threat modeling or risk management during development. Training for software developers on vulnerability mitigation through secure coding practices was largely nonexistent. Still, TAMIS had a history of being specifically targeted in malicious attacks on a few occasions originating from China, India, and even Boston.

Then TAMIS Project Manager Bob Torche attended a workshop as part of a strategic initiative on Software Security Assurance conducted by the National Cyber Security Division of the U.S. Department of Homeland Security. The program helped him put his own project in perspective and armed him with the skills and disciplines necessary to implement source code analysis in TAMIS within his project’s cost structure.

The TAMIS team had some specific requirements for its application security solution provider, which needed to be able to:

• Measure present vulnerability levels to ascertain the risk profile of the application

• Automate the source code analysis process• Understand where and how the application

was vulnerable, and prioritize the results

3

Case study | TAMIS

• Operate within the TAMIS Visual Studio integrated development environment to remediate vulnerabilities

• Illustrate quantitative reductions in vulnerability level over time, demonstrated by executive level reporting

• Progress the TAMIS team away from a “checklist mentality” toward a more holistic approach to risk management

• Train its .NET and C+ programmers on secure coding practices in their application environment, and monitor their future performance

Regulatory compliance mandates were also a huge consideration for the TAMIS team. Specifically, any chosen solution needed to help them meet the requirements set forth by the following initiatives:

1. The Defense Information Systems Agency’s Application Security Technical Implementation Guides, or DISA-STIGs for short, is a set of application configuration standards that promote the development, integration and updating of secure applications required under DoD policy. All military software applications must comply with these standards as a matter of national security.

2. The National Institute of Standards and Technology 800 Series details federal government computer security policies, procedures, and guidelines. These guidelines assess and document threats and vulnerabilities and outline security measures to minimize the risk of adverse events.

3. The Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.

4. The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the process that ensures risk management is applied on all DoD information systems. DIACAP defines a formal and standard set of activities, general tasks, and a management structure for the certification and accreditation of systems such as TAMIS that maintain an information assurance posture throughout their life cycle.

TAMIS needed to select an application security solution provider that understood each of these regulatory directives, and that could dynamically respond to address them.

The Strategy: Why HP Fortify Security Center Software?Promoting greater software assurance practices was now regarded inside TAMIS as essential to reducing overall risk to the munitions management system. To accomplish this, the TAMIS team began a review of leading industry source code analyzers. HP Fortify made the short list. Initial market research identified six products to review, including HP Fortify, KlocWork, and IBM/Ounce, among others. They focused their evaluations on fixing, prioritizing, viewing, and reporting capabilities, as well as how well each product would integrate with its environment. In the end, it came down to HP Fortify and Ounce.

Bob Torche was impressed by what he had learned of HP Fortify and its HP Fortify Static Code Analyzer (SCA) software product at the cyber security workshop, but not convinced. He had his team run a test of HP Fortify SCA directly against TAMIS code, not only to examine its results but to also to understand how the product would respond to their environment. He was overwhelmed by the number of vulnerabilities first detected, and soon realized the amount of effort that would be needed to address them. Further evaluation revealed that HP Fortify Security Center software offered benefits beyond just static code analysis.

Torche explains, “HP Fortify offered a comprehensive application security approach that included detection and protection capabilities in a single package. In addition to HP Fortify SCA, we realized the power of dynamic analysis for an application that is up and running, which TAMIS clearly is. We also understood that the run-time protection afforded by a full Software Security Assurance solution in the end would put us on the best possible footing. We became convinced that the best solution would address both our immediate needs as well as any future requirements that would emerge throughout the software development lifecycle.”

The Attack: Divide & Conquer with Expert SupportAfter the selection of HP Fortify, the TAMIS team still had some hurdles to clear. Implementation involved installing HP Fortify SCA on each of the machines that developers use to run static analysis on their code and to upload results to the HP Fortify Security Center. The HP Fortify Security Center was

4

Case study | TAMIS

used to maintain the rules pack, scan pre-release code during QA, and generate reports.

HP Fortify engineers assisted with the installation process to tune the product for the TAMIS environment. TAMIS also engaged HP Fortify’s support services to help review initial scan results with its developers, as the team needed some help prioritizing initial findings to isolate the most serious threats. The team found tuning Fortify Security Center for the individual application was a bit time-consuming, but essential to its success. Finally, HP Fortify also completed two days of in-depth product training with 10 TAMIS developers.

“We found HP Fortify’s support services to be first-class, from knowledgeable installation to informative staff training. Their involvement proved invaluable.” —Bob Torche, TAMIS Project Manager, U.S. Army

Bob Torche firmly believes that expert support is essential to the success of a Software Security Assurance effort involving ongoing development on an application already in production. He elaborates, “We found HP Fortify’s support services to be first-class, from knowledgeable installation to informative staff training. Their involvement proved invaluable to both a stable deployment as well as maintaining our deployment schedule. Problems were quickly resolved, resulting in an overall smooth and stable rollout within the planned timeframe.”

TAMIS operates under an agile software development approach, but still the combination of maintaining the system (which is actually hosted by another Army agency), fixing bugs, and deploying new capabilities is a challenging balancing act. Today, the TAMIS team is responsible for understanding the application’s ongoing risk profile, identifying real or emerging threats, and assuring all stakeholders that all potentially exploitable vulnerabilities are mitigated. TAMIS developers are tasked with actually fixing security issues while balancing the ongoing demands of a live system demanding functionality, data integrity, and availability. This frees the TAMIS project management team to focus upfront not only on functional requirements but also on security requirements.

The Results: Leading the App Sec Charge inside the DoDBob Torche believes, “It is this balancing act between fix and function that must be continually orchestrated for ongoing secure operations. The challenges of implementing an application security regimen on an already deployed web application—one that’s undergoing continual development, mind you—required a cultural shift to be incorporated into our development process. Once the commitment is made, I recommend that organizations going down our road pursue change quickly, adopt best practices, and then follow through. It’s about ultimately building a stronger application, but the challenge is keeping the wheels on the bus even as you improve the bus. That’s the secret of our success with HP Fortify Security Center software.”

With the HP Fortify solution, TAMIS has:

• Identified its risk profile. Specifically, HP Fortify is helping to reduce risk for the TAMIS project, within its funding and resource level.

• Enhanced its security posture. TAMIS has attained a higher level of confidence that its software is free from major vulnerabilities, which is the ultimate goal of software security assurance.

• Established a software development lifecycle approach. Security is now built into the TAMIS application from the beginning with established processes and procedures. According to a study by the National Institute of Standards and Technology (NIST), the cost and effort expended fixing security vulnerabilities in production software is up to 30 times more than addressing them during development.

As the U.S. Army strives to deliver net-centric information to enable superior warfighter decision-making, it continually adapts and refines TAMIS capabilities to meet the threat of the operational environment. Over the last three years, the system’s sponsors have consolidated data and automated processes to align its munitions requirements processes with the Single Army Logistics Enterprise (SALE) effort. TAMIS is three-quarters of the way through its transformation. Next steps are to interface the system with the Global Combat Support System-Army and the Logistics Modernization Program—which are both essentially enterprise resource planning implementation projects.

Rate this documentShare with colleagues

© 2011, 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA3-6919ENW, October 2013, Rev. 1

Sign up for updates hp.com/go/getupdated

TAMIS was the third successful implementation of HP Fortify software at the U.S. Army, which is also using HP Fortify solutions in its Communications and Electronics Command (CECOM) and Tank-Automotive & Armament Command (TACOM) systems. The Army now has 15 additional instances of HP Fortify Security Center up and running out of 25 total active projects. It has led to a sea change in acceptance for Software Security Assurance best practices at the DoD. Torche states its impact most succinctly when he says, “Static application security testing should be a mandatory requirement for all IT organizations that develop or procure applications.”

About Total Ammunition Management Information System (TAMIS)The Total Ammunition Management Information System (TAMIS) is the U.S. Army application that manages conventional munitions for wartime, training, and testing operations across the U.S. Armed Forces.

TAMIS handles 350,000 ammunition transactions per month from units located across the globe. The application supports more than 7,000 authorized personnel who request, approve, and manage munitions. TAMIS manages $3 billion in conventional ammunition authorizations annually.

About HP Enterprise Security:HP is a leading provider of security and compliance solutions for modern enterprises that want to mitigate risk in their hybrid environments and defend against advanced threats. Based on market leading products from ArcSight, Fortify, and TippingPoint, the HP Security Intelligence and Risk Management (SIRM) Platform uniquely delivers the advanced correlation, application protection, and network defense technology to protect today’s applications and IT infrastructures from sophisticated cyber threats. Visit HP Enterprise Security at: hpenterprisesecurity.com.

Case study | TAMIS

Customer at a glance:ApplicationsWeb-based ammunition management system

Software• HP Fortify Software Security Center• HP Fortify Static Code Analyzer

HP Services• Installation, implementation, and tuning services• Review of initial scan results• In-depth product training