Blackstone Federal Services

Additional Info

Job title of nominated professional (or team name)Blackstone Federal Services
Company (where nominated professional or team is working)Blackstone Technology Group
Websitehttp://www.bstonetech.com/what-we-do/government-consulting/
Company size (employees)100 to 499
CountryUnited States

Overview

As the world’s citizens go mobile, so should their government.

There is no question that mobile devices and applications have radically changed how we communicate, interact, seek resources to problem solve, entertain and, importantly, conduct business. Because citizens are quickly adopting an “app lifestyle,” for the government to connect with citizens and employees and enable those employees to do their jobs in a format in which they have increasing effectiveness, mobile applications are a requirement. However, applications introduce inherent security, privacy and regulatory risk (public apps contain 14 vulnerabilities, on average*), especially because Federal applications would be developed by different developers. The Department of Homeland Security (DHS) contracted with Blackstone Technology Group to identify and create a process that could aid developers in empowering groups across the Department in building secure, powerful apps. Thus, CARWASH was born.

CARWASH is a cloud-enabled framework for developers to create safer applications. The solution automates scanning of mobile apps (iOS and Android apps) with up to eight scanning tools. An easy to use web interface allows users to upload their mobile app to get scanned, leverage features that assist with the security approval process and see a repository of their scan reports.

By developing CARWASH in collaboration with multiple agency partners, Blackstone Technology Group helped enable DHS to securely manage mobile application development to engage with their workforce and the public. Fast forward to today, and:
• CARWASH is open to all participating federal agencies
• DHS now requires CARWASH as part of the Privacy Threshold Analysis process
• More than 150 mobile apps have been run though CARWASH, including several dozen government developed apps from different agencies
• Because CARWASH is a shared hosted service, it allows different groups to avoid the cost of managing their own testing capability

* Application Security Trends Report, Cenzic, 2014

Accomplishments

Innovation Defined: CARWASH is the result of an innovative partnership pairing multiple government agencies and private industry to solve a critical security need. Faced with an urgent challenge of ensuring mobile application security across a broad range of functions, departments and divergent developers, Blackstone Technology Group (BTG), under the leadership of DHS OCIO, assembled advanced tools with existing processes in-play at NIST to establish a systematic, centralized resource: a cloud framework for secure mobile application development – a first to include tools mapping to the NIAP Protection Profile for Mobile Applications.


BTG Enables Creative Minds at DHS: DHS talented technologists had the initial foresight to see mobile app security as being critical, and to invest in building CARWASH. By creating a centralized resource using tools such as AppVet, created by NIST for DARPA, BTG could foster innovation across all DHS components by providing a path to secure mobile application development. The process allows for application development that limits errors across all groups by providing ongoing monitoring of application flaws or vulnerabilities through continuous testing and reporting. Divergent groups within the DHS are saved from the significant capital expenditure and expertise required for creating and implementing their own testing frameworks. As a result, developers are free to dream future applications, assured of their ability to create these in a safer and more secure manner.


Ensuring Future Needs: With mobile technology and threats advancing, BTG and partners engineered the nimble cloud framework to integrate future developments in vulnerability testing and threats into CARWASH. Administrators of the system may leverage both SaaS and on premise scanners for automated vulnerability assessment and compliance purposes. By enhancing secure building practices and application security across DHS, further application development is flourishing, with more than 150 mobile apps run though CARWASH to date.