The danger of not performing regular system-level analysis on software is that CIOs and their teams can remain ignorant of critical flaws and backdoor access to sensitive data that puts customers and users at risk. It may be surprising this isn’t a given in all organizations, but particularly when it comes to state agencies whose duty it is to protect and serve the public.
CAST was recently engaged with a certain Department of Motor Vehicles to perform due diligence on an external-facing application. As part of that process, we acted as white hats to identify unapproved access to the system and data. Before long, I realized I had in my hands on the metaphorical “keys to car.” I could have driven away with all kinds of precious data, including registered drivers’ sensitive personal information, like credit cards and social security numbers.
Though I’d like to tell you it was an unusual moment, it happens all too many times in our software-intelligence work.
Agencies are Driving in Different Lanes
Though I was ostensibly inside the app to provide an objective evaluation of its software quality and determine a quality base line, I discovered much more urgent issues. For example, the name of an executable file within the site’s architecture was available to most any user on the website. This poses a serious vulnerability: you don’t want to tell the Web what you’re running behind the scenes. Doing so lifts your weak spots to the surface and attacks can be targeted accordingly.
Additionally, the email address variable, among other pieces of vital information, was not scrubbed and so it could execute something against the database. And you know what? The agency had the right stuff already in hand (and in code) to protect itself, but it wasn’t using it, reflecting an all-too-common operational flaw – an inherent lack of Software Intelligence around blind spots and non-compliant access.
Step Away from the Vehicle
How can this happen in a large state agency, which has its own CIO and security chief? A tragic coalescence of factors conspires:
- The typical state government culture is based on continuity—and not always in a good way. Large legacy mainframe systems (and the people who run them) may stay in place together for decades, creating the appearance of efficiency, security, and harmony.
- Long-term employees carry institutional knowledge with them – and retire. And with their departure, all that proprietary knowledge along with them to the golf course. In the case I’ve just described, the developer who wrote this app retired a long time ago–in fact, he may be at the 18th hole as you read this.
- Agencies exist in silos. Each may go about performing a similar—or identical—process entirely differently, cobbling together what works for that person, at that agency, at that time. Each is in desperate in need of a second set of eyes to help to think differently and obtain objective, fresh insights.
Crashin’ Down the Silos
Software Intelligence solutions can help state agencies suffering from such silo-driven issues. For example, CAST Highlight and the CAST Applications Intelligence Platform can work alone or in tandem to address isolated operations and software quality and security concerns.
Think of these tools like taking a metal detector across your applications with Highlight. Then, when you hear “the beep,” you can dive in and address the problem with AIP. The result: increased transparency that helps you to better understand what you've got (for example, complex and redundant code), saving time and money. Routing out such redundancies and complexities also has a positive trickle-down effect on security and risk mitigation, since fewer points of entry mean fewer potential breach opportunities.
What’s in Store Down the Road?
Moving on from its well-intentioned missteps of the past, the state agency I was reviewing wanted us to do an app-by-app analysis of its enterprise, which called for an assessment of its legacy software’s overall health. What would they sunset and what could they modernize? And what about developing replacements for those retired applications?
What’s more, since the organization is losing ASP support for its applications as of 2020, it must shift to a Java environment. This move reflects a wise decision to mainstream development tools for the long-term. That way, long-lasting apps can survive, long after their human caretakers catch the last plane to Fort Lauderdale and their umbrella drinks.