On Jan. 4, 2008, administrators from four Pennsylvania agencies noticed new links on public-facing web applications. As part of the commonwealth’s cybersecurity incident response plan, they contacted the Office of Administration’s Office for Information Technology to investigate.
Once resolved, it was crucial to ensure that this type of attack could not recur. We conducted an internal risk assessment that uncovered an unacceptable number of applications susceptible to SQL injection attacks. It was clear that we needed to proactively evaluate web applications for potential security vulnerabilities before placing them in production environments.
We developed a process known as the Commonwealth Application Certification and Accreditation, or CA2, modeled on the National Institute of Standards and Technology’s Guide for the Security, Certification and Accreditation of Federal Information Systems. We re-engineered it to fit our development life cycle and, in so doing, began building security controls into applications as they are developed — rather than applying security tools after the fact — translating into significant savings in later remediation.
The Keystone to Our Approach
CA2 consists of four phases:
• Initiation: Agencies complete a gap assessment to determine if web applications comply with Pennsylvania’s policies, procedures and standards. The assessments are submitted to a team of enterprise architects and security analysts who determine if risks exist in the application’s security architecture.
• Certification: Agencies conduct source code scans, that help identify security risks, design flaws, policy violations and common coding errors.
• Accreditation: Agencies complete application and host vulnerability scans to ensure that servers have current security patches and that applications are not susceptible to attacks that may have been missed by source code scans.
• Finishing: Agencies validate that nothing has changed since an application was first submitted. This phase also ensures that all stakeholders are aware of applications that are going into production.
A Proper Payoff
The benefits from CA2 have been significant, immediate and tangible. Since its inception, approximately one-third of applications reviewed have benefited from security enhancements prior to production. CA2 has also translated into real cost savings. An assessment of a single application, for example, revealed that more than 350,000 sensitive records (including names, birth dates and Social Security numbers) were unsecured. If breached, this application not only would have placed these individuals at risk, but also could have cost the state more than $31 million to notify each person and pay for credit monitoring, according to Gartner.
We believe so firmly in our success that we contributed to an open-source web application to streamline the certification process. The application contains questionnaires and assessments; coordinates efforts of reviewers; organizes attachments and reports; and provides a mechanism for dialogue between reviewers and agencies. The site also contains descriptive materials, installation instructions, video and a database. Government offices can download information from http://www.cybersecurity.state.pa.us.
Brenda Orth is CIO of the commonwealth of Pennsylvania.