5 Steps to Improving Aerospace and Defense Cybersecurity
Today’s military aerospace and defense program offices are assessing and rethinking their approach to cybersecurity. With growing geopolitical uncertainty in lockstep with the rising sophistication of cybersecurity threats, delivering secure systems has become central to national defense procurement and commercial aerospace strategies.
To meet the requirements of program managers and consumers alike, military and aerospace manufacturers must adopt secure development practices and maintain evidential proof that cybersecurity risks are mitigated.
Whether you’re supporting a government program or commercial enterprise, this blog provides a checklist toward improving your cybersecurity processes for software development.
Top 5 Steps to Improve Cybersecurity in Aerospace and Defense Software
Read along or jump ahead to the section that interests you most:
- 1. Know Where Cyber Threats Come From
- 2. Make Cybersecurity a Development Priority
- 3. Simplify Cybersecurity Testing with Known Standards
- 4. Minimize Development Impacts with Automation
- 5. Secure Your Software Supply Chain
1. Know Where Cyber Threats Come From
Aside from user behavior, like falling for phishing scams, there are two ways that vulnerabilities are introduced into software. A flaw in design or architecture, such as the lack of user authentication, can introduce a potential attack surface. Or there could be a mistake in source code that leads to a vulnerability, like an injection attack.
Given the complexity and multi-source nature of military and aerospace procurement, these flaws can be introduced at any point in the supply chain. Whether prime contractor or supplier, it’s good practice to ensure all software sources are thoroughly examined for potential vulnerabilities:
- Legacy code – The de-facto source for many systems, older code poses unique cybersecurity challenges for aerospace and defense manufacturers, like the absence of prior testing and lack of current technical support.
- New development – Theoretically the best time to apply the latest security techniques, but project budgets and release pressures tend to thwart the best intentions.
- Open source software (OSS) – Prolific and growing in use; however, the easy accessibility of OSS makes it the perfect target for malicious actors.
- Commercial-Off-the-Shelf (COTS) – Without strict requirements and proper testing, integrating COTS software may also incorporate undetected vulnerabilities.
2. Make Aerospace and Defense Cybersecurity a Development Priority
Aligning cybersecurity strategies between the development team and the business means selecting and implementing a process that adapts to emerging threats and market dynamics alike, such as those processes recommended in the SWAP Report. This includes investments into training and tools that minimize both developer effort and the likelihood of vulnerabilities entering the code base.
Developers already know what needs to be done. Our State of Aerospace And Defense Software Development Survey identified what they want prioritized in cybersecurity budgets: training and better ways to enforce secure coding practices without impacting development time.
3. Simplify Cybersecurity Testing with Known Standards
A common understanding and set of guidelines help your team check code for vulnerabilities and establishes your right to play with customers. With many known cybersecurity standards in aerospace and defense, you don’t need to research and create your own tests – simply follow and enforce the coding practices that match.
These security standards include:
- CWE - The Common Weakness Enumeration (CWE) Top 25 is a community-developed list of the most widespread and critical weaknesses that attackers exploit.
- DISA STIG - The Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) provides guidance on how an organization should handle and manage security software and systems.
- OWASP - The Open Web Application Security Project (OWASP) Top 10 lists critical security risks for applications, based on analyzing the exploits most often used by hackers and causing the most damage.
- MISRA and MISRA C:2012 - MISRA provides coding guidelines for C and C++ that ensure code is safe and secure. The MISRA C:2012 addenda include guidelines to strengthen security by identifying how each MISRA rule maps to the secure coding rules in ISO/IEC TS 17961:2013 and CERT C.
4. Minimize Development Impacts with Automation
More standards shouldn’t mean more developer responsibilities. Past cybersecurity efforts were largely run by manual, time-consuming tests but today’s automation techniques – static analysis (SA) in particular – are ideally suited to keep pace with changing code bases and evolving cyber threats.
The benefits of automating compliance for aerospace and defense cybersecurity standards run from greater accuracy in tests prone to human error to the consistent application of rules across the entire code base. The biggest advantage that cybersecurity SAST tools, like Perforce’s Klocwork, have is making developers’ lives easier by analyzing source code to find vulnerabilities and identify gaps in compliance across the entire code base. By analyzing source code as it’s being written and supporting the speed of DevSecOps with built-in capabilities, such tools reduce cybersecurity risks without impacting release timelines.
5. Secure Your Software Supply Chain
"The Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
Supply chain attacks will only continue to grow as programs increase their need for diverse technologies and decrease their spend on big, monolithic software providers. Third-party risks can be introduced by suppliers, vendors, open source projects, and others with whom today’s connected systems are built.
Integrating secure risk management into development processes starts with visibility, enabled by aerospace and defense cybersecurity testing tools that can validate newly procured software and audit existing code. The benefits go up the chain too – ensuring that your product is secure instills greater confidence with your customer.
Your Roadmap to Improving Aerospace and Defense Cybersecurity
As software complexity soars, so will the frequency of attacks in the field. Ensuring vulnerabilities are detected and remediated before release means looking toward tools that support automated standards compliance — without impacting development timelines. Klocwork supports application security improvement for aerospace and defense by detecting code vulnerabilities, compliance issues, and rule violations early in the development pipeline.
📕 For a deeper dive into the cybersecurity strategies presented here, download our latest white paper, “How to Improve Cybersecurity for Tomorrow’s Aerospace and Defense Needs.”