States of Chaos: Can a Hacker Steal Your Agency’s Wheels?

by

The danger of not performing regular system-level analysis on software is that CIOs and their teams can remain ignorant of critical flaws and backdoor access to sensitive data that puts customers and users at risk. It may be surprising this isn’t a given in all organizations, but particularly when it comes to state agencies whose duty it is to protect and serve the public.

CAST was recently engaged with a certain Department of Motor Vehicles to perform due diligence on an external-facing application. As part of that process, we acted as white hats to identify unapproved access to the system and data. Before long, I realized I had in my hands on the metaphorical “keys to car.” I could have driven away with all kinds of precious data, including registered drivers’ sensitive personal information, like credit cards and social security numbers.

Though I’d like to tell you it was an unusual moment, it happens all too many times in our software-intelligence work.

Agencies are Driving in Different Lanes

Though I was ostensibly inside the app to provide an objective evaluation of its software quality and determine a quality base line, I discovered much more urgent issues. For example, the name of an executable file within the site’s architecture was available to most any user on the website. This poses a serious vulnerability: you don’t want to tell the Web what you’re running behind the scenes. Doing so lifts your weak spots to the surface and attacks can be targeted accordingly.

Additionally, the email address variable, among other pieces of vital information, was not scrubbed and so it could execute something against the database. And you know what? The agency had the right stuff already in hand (and in code) to protect itself, but it wasn’t using it, reflecting an all-too-common operational flaw – an inherent lack of Software Intelligence around blind spots and non-compliant access.

Step Away from the Vehicle

How can this happen in a large state agency, which has its own CIO and security chief? A tragic coalescence of factors conspires:

  • The typical state government culture is based on continuity—and not always in a good way. Large legacy mainframe systems (and the people who run them) may stay in place together for decades, creating the appearance of efficiency, security, and harmony.
  • Long-term employees carry institutional knowledge with them – and retire. And with their departure, all that proprietary knowledge along with them to the golf course. In the case I’ve just described, the developer who wrote this app retired a long time ago–in fact, he may be at the 18th hole as you read this.
  • Agencies exist in silos. Each may go about performing a similar—or identical—process entirely differently, cobbling together what works for that person, at that agency, at that time. Each is in desperate in need of a second set of eyes to help to think differently and obtain objective, fresh insights.

Crashin’ Down the Silos

Software Intelligence solutions can help state agencies suffering from such silo-driven issues. For example, CAST Highlight and the CAST Applications Intelligence Platform can work alone or in tandem to address isolated operations and software quality and security concerns.

Think of these tools like taking a metal detector across your applications with Highlight. Then, when you hear “the beep,” you can dive in and address the problem with AIP. The result: increased transparency that helps you to better understand what you've got (for example, complex and redundant code), saving time and money. Routing out such redundancies and complexities also has a positive trickle-down effect on security and risk mitigation, since fewer points of entry mean fewer potential breach opportunities.

What’s in Store Down the Road?

Moving on from its well-intentioned missteps of the past, the state agency I was reviewing wanted us to do an app-by-app analysis of its enterprise, which called for an assessment of its legacy software’s overall health.  What would they sunset and what could they modernize? And what about developing replacements for those retired applications?

What’s more, since the organization is losing ASP support for its applications as of 2020, it must shift to a Java environment. This move reflects a wise decision to mainstream development tools for the long-term. That way, long-lasting apps can survive, long after their human caretakers catch the last plane to Fort Lauderdale and their umbrella drinks.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Kyle Christiansen
Kyle Christiansen Technical Solutions Architect
Kyle Christiansen is a Technical Solutions Architect at CAST and has more than a decade of experience as a software engineer and team manager. He has designed systems and product architectures to deliver personalized, secure and highly available apps.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|