with the gun that fired it is a critical tool for law enforce- ment, and such forensics have traditionally relied on careful case-by-case com- parisons by an experienced examiner.
Hands-on examination
by highly trained special- ists does not scale, however, so the National Institute of Standards and Technology has developed a high-tech, open-access and crowd- sourced solution called the Ballistics Toolmark Research Database to help modernize that process.
Drawing on ballistics
data from the FBI’s refer- ence firearms collection
and other participating law enforcement agencies, NIST is building a vast collection of high-resolution virtual models of fired bullets. Test- fired bullets and cartridge
Cybersecurity
Defending collaboration across DOD
The Fortify for Forge program gives the Defense Department’s Forge.mil users secure, rapid and cost-effective access to up- to-date software security assessment tools
It’s not easy to fend off the cybercriminals, hacktivists and powerful nation-states that would see breaching the Defense Department’s cyber defenses as a major coup.
cases, along with information on the guns that fired them, are sent to NIST, where lab technicians scan the samples using a microscope that produces a high-resolution, 3-D topographic surface map. The result is a virtual model of the physical object.
The surface maps produce more detailed comparison data than the 2-D images traditionally used to match bullets. They also remove many of the ambiguities that can cloud traditional matches, helping law en- forcement agencies speed their investigations.
In addition, the growing library gives researchers the data to develop new identifi- cation methods and advance the forensics even further.
The way NIST set about developing the ballistics database is also noteworthy.
Those hackers have learned to take advantage of vulnerabilities in software to exploit IT systems and access mission-critical data.
But through its recent software assurance initia- tive, the Defense Information Systems Agency has found a better way to contend with potential vulnerabilities that can allow bad actors to break into DOD networks.
Working with Hewlett Pack- ard Enterprise’s Fortify on De- mand group, DISA’s Forge.mil Fortify for Forge (F3) program gives DOD users secure, rapid and cost-effective access to up-to-date software security assessment tools.
Forge.mil F3 is the first DOD program to deliver “software assurance as a
The Laboratory Information Systems Team created a busi- ness plan to use existing IT resources to provide full sys- tems development capabili- ties in-house. Officials used LIST’s fixed budget to fund
a multiyear, flexible contract for software development support.
That approach allowed NIST to obtain project man- agement, business analysis, hosting, software develop- ment, product deployment and maintenance — as well as support for Federal Infor- mation Security Management Act requirements — at lower fixed hourly rates than any contract vendor could offer.
— Troy K. Schneider
service” without requiring software licenses or training to use the tools to manage the process.
Instead, F3 is a pay-as-you- go model where users can have their code scanned for vulnerabilities and then dis- cuss the findings and recom- mendations with a software assurance expert so they can quickly make the required changes to the code.
The program was based on feedback from DISA’s survey of its users. “Almost unanimously, users told [DISA] that they needed better security assessment tools and capabilities,” said John Farrell, Fortify special- ist for advanced programs at Hewlett Packard Enterprise Security.
40 GCN OCTOBER/NOVEMBER 2016 • GCN.COM