The FAA has performed a security assessment of 70 of their web applications and found a large number of vulnerabilities. This doesn’t come as much of a surprise because most government agencies have not cracked down on software security. Besides the vulnerabilities, there are two things that bother me:
1. No Static Analysis – In the methodology section of the memo, it looks like KPMG only used penetration testing for this assessment. I’m not looking to start the typical static versus dynamic testing debate, but I was surprised that static analysis was not a component of this assessment. Automated penetration testing relies on the tool being used to find the vulnerabilities. Depending on the application, this type of testing could miss some critical vulnerabilities. Static analysis provides deeper analysis and can find vulnerabilities not detected by penetration testing tools. Not to mention, using static analysis early in the SDLC will decrease these vulnerabilities before they are released.
2. Separate Standards – In the memo, the writer mentions that the FAA uses “DOT Secure Web Application Standards”. The DoD has their standards, the DoT has their standards, NIST has standards, NSA has standards, etc. There really should be a standard that is applied to all agencies with a mandate from the President. Cybersecurity affects all agencies and we should all be on the same page.
It seems that Obama is taking a stand on cyber security and I hope they take this the right way.