Finding Vulnerabilities

This large government agency had hired a vendor to develop a public-facing application that included personally identifiable information and managed payments for hundreds of providers. The client needed to ensure that the application was meeting stakeholder expectations and that it was being built properly and hired Elemental Solutions to conduct IV&V services.

In the process of our review, we discovered a number of potential problems. First, the vendor had made no differentiation in the deployment view between the internal and external functions, with the same code running on the Web servers for both. Doing so could allow hackers to initialize fraudulent payments, and we recommended rebuilding the software to address the problem. We also that the vendor had developed proprietary Java frameworks for several essential functions, yet were not providing the client with the source code; this meant that our client could not maintain its own system. We recommended addressing this by redeveloping the functions using open source code.

Our client is now looking at commissioning a full IV&V and Certification & Accreditation process to make sure that no unintended functionality is available through its public-facing Internet. In addition, they are exploring the redevelopment of the system to replace proprietary frameworks with equivalent open source equivalents, providing more reliable functionality and allowing them complete control over maintenance.

Copyright © 2008 Elemental Solutions. All rights reserved.
email  |  site map