“You can have great policy, you can have great DOD directives and DOD instructions, but if it’s not in enforceable contract language, no one is going to pay attention to it.” — John Keane
Before my presentation at the Department of Homeland Security “Software and Supply Chain Assurance September Forum” in Washington, DC last week, I was able to catch up with John Keane, the security industry’s Software Angel of Death.
“I’m stunned by the number of people who try to make up excuses to do the harder wrong than the easier right. Unfortunately, that’s what we’re dealing with.” — John Keane
Listen to the full interview: John Keane – The Software Angel of Death
John and I discuss the idea of contracts, and enforceable contract language, that hold people accountable for what they develop. From there, we get into how developers can become more security conscious just by the tools that they use.
“I believe that you teach them (developers) by giving them tools that say, ‘No. The line of code should have been written this way.” — John Keane
The third voice you hear is that of Jeff Deal, VP Government Sales at Sonatype. Jeff had some interesting questions on how to make development teams accountable after scanning has found vulnerabilites.
“After a short period of time, the developers learn not to just find and correct mistakes, they don’t make them in the first place because the tools are teaching them how to write better code.” — John Keane
Highlights from our Conversations
00:05 Security scanning during development
02:47 Enforceable contract language
04:54 DevOps and Agile (or really fast Waterfall)
06:22 Accountability after scanning through a software assurance manager
07:03 Automation of security in the IDE
09:33 Recognizable design patterns in software
12:54 The discipline of code development and managing legacy code
(There is a little background noise in the recording because we were standing in the lobby at the conference, having a conversation, and I turned my recorder on.)
About John Keane
IT Specialist, Test and Independent Verification and Validation (T&IVV) office, newly-formed DoD/VA Interagency Program Office (IPO) which falls under the DoD TRICARE Management Agency (TMA).
John was just transferred from the equivalent position in the TMA Joint Medical Information Systems Office. The IPO was established in April 2008, as mandated by Section 1635 of the National Defense Authorization Act (NDAA) for Fiscal Year 2008 (FY08). The IPO acts as the single point of accountability for the development and implementation of electronic healthrecord (EHR) systems and capabilities and provides oversight and management of the delivery of interoperability goals and objectives.
John has a number of responsibilities of which one is the Software Code Quality Checking (SCQC) task manager. The SCQC project was nominated for the 2011 North America Government Sector Information Security Project of the Year. John was a Federal Computer Week Top 100 award winner in 1993 for his work in developing the DOD Technical Reference Model. John is a retired Army Officer with 20 years service and this is his second time in the government as a civil servant. During his first time as a civil servant, he was responsible for developing the DoD Technical architecture Framework for Information management (TAFIM) which was adopted by the Open Group as the TOGAF.