OUR PRACTICES

Enterprise Systems Development

• + Automating for Greater Efficiency
• + Fire-Jumping to the Rescues
• + Enabling Rapid Tranformation
• + Advanced Implementation
• + Finding the Pattern

Infrastructure & Service Management

• + Preparing for the Surge
• + High Stakes Rebuild
• + SLA Support for the VA

Independent Verification & Validation

• + Finding Vulnerabilities

Finding Vulnerabilities

Challenge
This large government agency had hired a vendor to develop a public-facing application that included personally identifiable information and managed payments for hundreds of providers. The client needed to ensure that the application was meeting stakeholder expectations and that it was being built properly and hired Elemental Solutions to conduct IV&V services.

Solution
In the process of our review, we discovered a number of potential problems. First, the vendor had made no differentiation in the deployment view between the internal and external functions, with the same code running on the Web servers for both. Doing so could allow hackers to initialize fraudulent payments, and we recommended rebuilding the software to address the problem. We also that the vendor had developed proprietary Java frameworks for several essential functions, yet were not providing the client with the source code; this meant that our client could not maintain its own system. We recommended addressing this by redeveloping the functions using open source code.

Results
Our client is now looking at commissioning a full IV&V and Certification & Accreditation process to make sure that no unintended functionality is available through its public-facing Internet. In addition, they are exploring the redevelopment of the system to replace proprietary frameworks with equivalent open source equivalents, providing more reliable functionality and allowing them complete control over maintenance.