Insight by Synack

Software development and continuous testing are the wind beneath the F-35’s wings

The team behind the F-35 Joint Strike Fighter have one mission, and that is to keep the operation of the jet safe for the warfighters who rely on it. 

Federal Insights — Best Practices in Secure Software Development — 05/21/24

As warfare moves between the physical and digital battlefield, the software powering military aircraft like the F-35 Joint Strike Fighter acts as both a weapon and a fortress.  Beyond the aluminum alloys, steel, titanium and glass fiber composites that make up the F-35, there is a flying network of computers with a team of software engineers whose job is to innovate and protect the knowledge behind it.

At the core of this defense, lies the team from Lockheed Martin, their suppliers, the Department of Defense, and specifically the F-35 Joint Program Office. F-35 software engineers operate behind DoD firewalls, and depending on what part of the aircraft is being examined, a different team is responsible. This mix of contributors magnifies the daily challenge of creating software that can withstand cyber attacks from all corners of the globe.

“Another complex part of the F-35 program office is we do have disparate development environments. We do have to integrate at some point. I’ll be honest, there are some cases where we have to use hard drives to transfer information to consolidate and integrate the information. So we are working within the program office to make that more efficient and effective,” Jenny Tsao, chief data and software officer for the F-35 Joint Program Office said on Federal Insights — Best Practices in Secure Software Development.

“That’s what makes the software development a little bit complex, because not only are we getting software development and code from Lockheed Martin, but they are also getting something from their suppliers, and they have to integrate all of that into the entirety of the jet.” Taos said.

The F-35 office relies on third party penetrating testing. While this is a joint program that includes all of the armed services, and the Air Force and Navy both pay into the program, each branch within the DoD is considered a third party when it comes to vulnerability testing.

“There are software engineering groups within the Air Force and within the Navy, so if we develop a set of code internally, we’ll do vulnerability testing and scanning on our own, but we’ll also invite another software engineering group at the Air Force, at another location, to do penetration testing, just to cover the basics. Tsao said.

The team also leverages some of the Army’s testing capabilities. Tsao’s team engages the DevSecOps community in a practice that encourages learning and innovating together. With respect to national security risks, security is integrated into every aspect of the software development lifecycle. Each step of the process sees  the cyber security team, and later subject matter experts within the team that ensures the code being implemented is secure.

“We obviously need to support the software and ensure that it’s still good to go. So we’re working with our industry partners on software sustainment and what that might look like in terms of getting all the equipment and the software and the processes to be done by government engineers.” Tsao said.

The F-35 Office splits development into quarters, and initiatives that get broken down into tasks for individual developers. Some of those developers are contractors and even subcontractors, but the Authorization to Operate (ATO) imposes boundaries. When vulnerabilities are found, they sometimes require operations be shut down for patching. Tsao said testing is often done by parts or components, and rarely by the whole system. “Right now, we partner with industry to do the whole system testing.”

The DevSecOps infrastructure team steps in so that each time a change is made, it goes through a technical review board and a change configuration board, that then votes on changes that are made.

“It first goes into a sandbox environment where there’s no real data and it’s isolated. And then we move that code to a non-production environment where we might use real data or sensitive data, but it’s still contained, before we talk about moving it to production or a live environment.” Tsao said.

The team behind the F-35 Joint Strike Fighter have one mission, and that is to keep the operation of the jet safe for the warfighters who rely on it.

“At the end of the day, its about getting the jets in the air. It’s about ensuring that our warfighters and anyone else’s warfighters who’s partnering with us or purchasing the jet are safe. And you know the components on the jet are good to go. Tsao said. “There are a lot of things that we need to do with respect to ensuring that our systems are authorized and working the way they should be.”



Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories