Case study

Ready, Aim, HP Fortify!

U.S. Army deploys application security regimen for
munitions system

Industry
Public sector
Objective
Identify and eliminate vulnerabilities in the
munitions management software application in
order to ensure training superiority and achieve
readiness objectives
Approach
Use HP Fortify software to help prevent attacks
to the TAMIS system by accurately measuring
the security risk level and fixing application
vulnerabilities
IT matters
Identified the TAMIS applications risk profile
Reduced risk for the TAMIS project, within its
funding and resource level
Business matters
Effected a cultural shift in the TAMIS development
process
Established a development lifecycle approach to
software security
Enhanced the U.S. Armys security posture with a
higher level of confidence

HP Fortify offered a comprehensive

application security approach that
included detection and protection
capabilities in a single package. In
addition to HP Fortify SCA, we
realized the power of dynamic
analysis for an application that is up
and running, which TAMIS clearly is.
Bob Torche, TAMIS Project Manager, U.S. Army
TAMIS is the web-enabled application used by the U.S. Army to
manage munitions for wartime, training, and testing
operations across the U.S. Armed Forces. Previously, the DoDs
approach to IT security had been network-centric, with little
attention given to vulnerabilities in its software applications.
But, as part of an overarching Net-Centric Data Strategy, the
Army selected HP Fortify as its application security solution
provider in order to ensure training superiority and achieve
readiness objectives.

Case study | TAMIS

The Total Ammunition Management

Information System (TAMIS) is the U.S. Army
application that manages conventional
munitions for wartime, training, and testing
operations across the U.S. Armed Forcesthe
Army, Marine Corps, and National Guard, as
well as the Navy and Air Force when operating
on Army installations.
TAMIS handles approximately 350,000
ammunition transactions per month from
units located all around the world, supporting
more than 7,000 authorized personnel who
request, approve, and manage munitions. The
web-enabled system calculates combat load
requirements, validates and routes electronic
requests, collects expenditures, and prepares
forecasts. More than 50,000 munitions
reports are generated each month on the
nearly $3 billion in conventional ammunition
authorizations managed each year.
The primary objectives of TAMIS are to improve
munitions governance and to provide military
personnel with essential analytical tools that
enable a trained and ready armed force. The
TAMIS application supports the Armys training
and operational strategies by providing an
essential web-enabled capability throughout
all phases of the militarys spectrum of
operations. Employing a design structured for
centralized management and decentralized
execution, the system develops, calculates,
and prioritizes requirements, ensures
requisition and authorization data is accurate,
and then makes this information available and
usable on demand to authorized users without
wait time.
TAMIS is managed by the Department of
the Army G-37, Munitions Management
Division. Maintaining training superiority and
achieving readiness objectives required the
Army to transform its business practices and
information management processes as part of
the overarching Net-Centric Data Strategy of
the U.S. Department of Defense (DoD). TAMIS
is not a new system. It was originally launched
on a mainframe, migrated to Windows NT, and
then to its present browser-driven application
environment.
TAMIS operates in the Mission Assurance
Category II sensitive level. As a result, much
time and effort has been devoted to TAMIS
development and network hardening
solutions designed to prevent attacks against
the application. However, application security
wasnt always the highest priority for the
TAMIS development team over the years,

between rolling deadlines and user demands

for new features. Eliminating vulnerabilities
was regarded as a task best performed in the
testing phase or at the end of development, if
at all.

The Mission: A Holistic

Approach to Software Risk
Management
Before the TAMIS application security project,
few in the wider U.S. Army community were
thinking seriously about application security.
While IT security as a practice has always
been non-negotiable in matters of national
security, the approach had been largely
network-centric and had given little attention
to software vulnerabilities present in many
of the applications already in use throughout
the DoD. The two bodies responsible for
TAMIS network security included the U.S. Army
Information Management Center, responsible
for intrusion detection and firewalls, and the
Pentagons Vulnerability Assessment Branch,
which periodically scans Army servers for
necessary updates and fixes.
On the other hand, application code review
was still manual and labor intensive, with
few resources directed to application threat
modeling or risk management during
development. Training for software developers
on vulnerability mitigation through secure
coding practices was largely nonexistent.
Still, TAMIS had a history of being specifically
targeted in malicious attacks on a few
occasions originating from China, India, and
even Boston.
Then TAMIS Project Manager Bob Torche
attended a workshop as part of a strategic
initiative on Software Security Assurance
conducted by the National Cyber Security
Division of the U.S. Department of Homeland
Security. The program helped him put his own
project in perspective and armed him with the
skills and disciplines necessary to implement
source code analysis in TAMIS within his
projects cost structure.
The TAMIS team had some specific
requirements for its application security
solution provider, which needed to be able to:
Measure present vulnerability levels to
ascertain the risk profile of the application
Automate the source code analysis process
Understand where and how the application
was vulnerable, and prioritize the results

Case study | TAMIS

Operate within the TAMIS Visual Studio

integrated development environment to
remediate vulnerabilities
Illustrate quantitative reductions in
vulnerability level over time, demonstrated
by executive level reporting
Progress the TAMIS team away from a
checklist mentality toward a more holistic
approach to risk management
Train its .NET and C+ programmers on
secure coding practices in their application
environment, and monitor their future
performance
Regulatory compliance mandates were also
a huge consideration for the TAMIS team.
Specifically, any chosen solution needed to
help them meet the requirements set forth by
the following initiatives:
1. The Defense Information Systems
Agencys Application Security Technical
Implementation Guides, or DISA-STIGs for
short, is a set of application configuration
standards that promote the development,
integration and updating of secure
applications required under DoD policy. All
military software applications must comply
with these standards as a matter of national
security.
2. T
 he National Institute of Standards
and Technology 800 Series details
federal government computer security
policies, procedures, and guidelines. These
guidelines assess and document threats
and vulnerabilities and outline security
measures to minimize the risk of adverse
events.
3. The Federal Information Security
Management Act (FISMA) requires each
federal agency to develop, document,
and implement an agency-wide program
to provide information security for the
information and information systems that
support the operations and assets of the
agency.
4. The DoD Information Assurance
Certification and Accreditation Process
(DIACAP) is the process that ensures
risk management is applied on all DoD
information systems. DIACAP defines
a formal and standard set of activities,
general tasks, and a management structure
for the certification and accreditation of
systems such as TAMIS that maintain an
information assurance posture throughout
their life cycle.
TAMIS needed to select an application security
solution provider that understood each of
these regulatory directives, and that could
dynamically respond to address them.

The Strategy: Why HP Fortify

Security Center Software?
Promoting greater software assurance
practices was now regarded inside TAMIS
as essential to reducing overall risk to the
munitions management system. To accomplish
this, the TAMIS team began a review of leading
industry source code analyzers. HP Fortify
made the short list. Initial market research
identified six products to review, including
HP Fortify, KlocWork, and IBM/Ounce, among
others. They focused their evaluations on
fixing, prioritizing, viewing, and reporting
capabilities, as well as how well each product
would integrate with its environment. In the
end, it came down to HP Fortify and Ounce.
Bob Torche was impressed by what he had
learned of HP Fortify and its HP Fortify Static
Code Analyzer (SCA) software product at the
cyber security workshop, but not convinced.
He had his team run a test of HP Fortify
SCA directly against TAMIS code, not only to
examine its results but to also to understand
how the product would respond to their
environment. He was overwhelmed by the
number of vulnerabilities first detected, and
soon realized the amount of effort that would
be needed to address them. Further evaluation
revealed that HP Fortify Security Center
software offered benefits beyond just static
code analysis.
Torche explains, HP Fortify offered a
comprehensive application security approach
that included detection and protection
capabilities in a single package. In addition
to HP Fortify SCA, we realized the power of
dynamic analysis for an application that is
up and running, which TAMIS clearly is. We
also understood that the run-time protection
afforded by a full Software Security Assurance
solution in the end would put us on the best
possible footing. We became convinced
that the best solution would address both
our immediate needs as well as any future
requirements that would emerge throughout
the software development lifecycle.

The Attack: Divide & Conquer

with Expert Support
After the selection of HP Fortify, the TAMIS
team still had some hurdles to clear.
Implementation involved installing HP Fortify
SCA on each of the machines that developers
use to run static analysis on their code and
to upload results to the HP Fortify Security
Center. The HP Fortify Security Center was
3

Case study | TAMIS

used to maintain the rules pack, scan prerelease code during QA, and generate reports.
HP Fortify engineers assisted with the
installation process to tune the product for
the TAMIS environment. TAMIS also engaged
HP Fortifys support services to help review
initial scan results with its developers, as the
team needed some help prioritizing initial
findings to isolate the most serious threats.
The team found tuning Fortify Security
Center for the individual application was a bit
time-consuming, but essential to its success.
Finally, HP Fortify also completed two days
of in-depth product training with 10 TAMIS
developers.

We found HP Fortifys support

services to be first-class, from
knowledgeable installation to
informative staff training. Their
involvement proved
invaluable.
Bob Torche, TAMIS Project Manager, U.S. Army

Bob Torche firmly believes that expert support

is essential to the success of a Software
Security Assurance effort involving ongoing
development on an application already in
production. He elaborates, We found HP
Fortifys support services to be first-class,
from knowledgeable installation to informative
staff training. Their involvement proved
invaluable to both a stable deployment as
well as maintaining our deployment schedule.
Problems were quickly resolved, resulting in
an overall smooth and stable rollout within the
planned timeframe.
TAMIS operates under an agile software
development approach, but still the
combination of maintaining the system (which
is actually hosted by another Army agency),
fixing bugs, and deploying new capabilities is
a challenging balancing act. Today, the TAMIS
team is responsible for understanding the
applications ongoing risk profile, identifying
real or emerging threats, and assuring all
stakeholders that all potentially exploitable
vulnerabilities are mitigated. TAMIS developers
are tasked with actually fixing security issues
while balancing the ongoing demands of a
live system demanding functionality, data
integrity, and availability. This frees the TAMIS
project management team to focus upfront
not only on functional requirements but also
on security requirements.
4

The Results: Leading the App

Sec Charge inside the DoD
Bob Torche believes, It is this balancing
act between fix and function that must be
continually orchestrated for ongoing secure
operations. The challenges of implementing
an application security regimen on an
already deployed web applicationone
thats undergoing continual development,
mind yourequired a cultural shift to be
incorporated into our development process.
Once the commitment is made, I recommend
that organizations going down our road pursue
change quickly, adopt best practices, and then
follow through. Its about ultimately building
a stronger application, but the challenge
is keeping the wheels on the bus even as
you improve the bus. Thats the secret of
our success with HP Fortify Security Center
software.
With the HP Fortify solution, TAMIS has:
Identified its risk profile. Specifically, HP
Fortify is helping to reduce risk for the TAMIS
project, within its funding and resource level.
Enhanced its security posture. TAMIS has
attained a higher level of confidence that its
software is free from major vulnerabilities,
which is the ultimate goal of software
security assurance.
Established a software development
lifecycle approach. Security is now built into
the TAMIS application from the beginning
with established processes and procedures.
According to a study by the National Institute
of Standards and Technology (NIST), the
cost and effort expended fixing security
vulnerabilities in production software is up to
30 times more than addressing them during
development.
As the U.S. Army strives to deliver net-centric
information to enable superior warfighter
decision-making, it continually adapts and
refines TAMIS capabilities to meet the threat
of the operational environment. Over the
last three years, the systems sponsors have
consolidated data and automated processes
to align its munitions requirements processes
with the Single Army Logistics Enterprise
(SALE) effort. TAMIS is three-quarters of the
way through its transformation. Next steps
are to interface the system with the Global
Combat Support System-Army and the
Logistics Modernization Programwhich are
both essentially enterprise resource planning
implementation projects.

Case study | TAMIS

TAMIS was the third successful

implementation of HP Fortify software
at the U.S. Army, which is also using HP
Fortify solutions in its Communications and
Electronics Command (CECOM) and TankAutomotive & Armament Command (TACOM)
systems. The Army now has 15 additional
instances of HP Fortify Security Center up and
running out of 25 total active projects. It has
led to a sea change in acceptance for Software
Security Assurance best practices at the DoD.
Torche states its impact most succinctly when
he says, Static application security testing
should be a mandatory requirement for all
IT organizations that develop or procure
applications.

About Total Ammunition

Management Information
System (TAMIS)
The Total Ammunition Management
Information System (TAMIS) is the U.S. Army
application that manages conventional
munitions for wartime, training, and testing
operations across the U.S. Armed Forces.

TAMIS handles 350,000 ammunition

transactions per month from units located
across the globe. The application supports
more than 7,000 authorized personnel who
request, approve, and manage munitions.
TAMIS manages $3 billion in conventional
ammunition authorizations annually.

About HP Enterprise
Security:
HP is a leading provider of security and
compliance solutions for modern enterprises
that want to mitigate risk in their hybrid
environments and defend against advanced
threats. Based on market leading products
from ArcSight, Fortify, and TippingPoint, the
HP Security Intelligence and Risk Management
(SIRM) Platform uniquely delivers the
advanced correlation, application protection,
and network defense technology to protect
todays applications and IT infrastructures
from sophisticated cyber threats. Visit HP
Enterprise Security at:
hpenterprisesecurity.com.

Customer at a glance:
Applications
Web-based ammunition management system
Software
HP Fortify Software Security Center
HP Fortify Static Code Analyzer
HP Services
Installation, implementation, and tuning services
Review of initial scan results
In-depth product training

Sign up for updates

hp.com/go/getupdated

Share with colleagues

Rate this document

2011, 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties
for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
4AA3-6919ENW, October 2013, Rev. 1