Technique | How the 'Wild West' was won

 

Connecting state and local government leaders

USAID uses an online inspection tool to help tame its scattered systems.

The Agency for International Development traces its roots back to the post-World War II Marshall Plan for rebuilding Europe, and was established as an independent agency in 1961.'When our IT began there wasn't a network, let alone an Internet,' said chief information security officer Phil Heneghan. 'You had the Wild West,' with software development being done in a variety of coding languages at sites scattered around the world.Today the agency operates six networks serving sites in 80 countries. Complying with federal privacy requirements and ensuring security meant reining in this environment, and Heneghan wanted a tool to review the code on the networks to look for bugs and vulnerabilities.'We wanted to find out what we were exposed to,' he said. 'But the problem we set out to solve was not the one we ended up solving.'It turned out that examining all that code in all those languages was too complex a job to swallow in one bite.'We said, 'Let's not worry about the past. Let's look at the future.' ' The future was the Web. Senior officials at USAID had been pushing for more applications to be Web-enabled, 'because we were so distributed.'For the past year the agency has been using the WebInspect tool from SPI Dynamics Inc. of Atlanta to scan for and correct security flaws in its Web applications. The agency gave up a little bit in opting for application scanning rather than a full code analysis, said Bill Geimer, program manager with the USAID contractor Open System Sciences of Newington, Va. 'But you carve it up into a problem you can solve.'The result has been better security on the public-facing sites operated by USAID.'There's tons of problems,' Heneghan said. 'But as soon as we started giving our administrators the data, we started getting compliance almost overnight.'The agency began reining in its online environment about 18 months ago. The first step was to simply find out what was out there.'We had to find everything and inventory it,' Heneghan said.Some USAID sites were using the .org domain instead of .gov, some were improperly using cookies and some had been set up to process donations for other organizations. Cleaning up a lot of this was fairly straightforward'it was either allowed or it wasn't. But assessing vulnerabilities was a subtler problem, and goals had to be adjusted to conform to capabilities.'We were looking for a tool to help look for security vulnerabilities in the code,' Geimer said. 'We found that they are language-specific.'Without a standardized development environment, USAID had code written in too many languages to effectively address them all. 'We couldn't really get our arms around it with a strict code assessment,' Geimer said, so the decision was made to look at the application instead, and to focus on the Web.This is becoming a more common security tactic, said Caleb Sima, CTO of SPI Dynamics. Several years ago, the usual route for a hacker into an enterprise was through network vulnerabilities.'Today, most of those problems are being solved,' Sima said. 'Hackers have moved to the next level, which is Web security.'These public-facing sites often have links into the enterprise and contain weaknesses opening them to attacks such as SQL injection, in which malformed data submitted in SQL queries can be used to exploit vulnerabilities, or cross-site scripting, in which disguised or hidden links can direct a browser to unknown sites.'Developers of Web applications are not security people,' Sima said.USAID selected WebInspect after evaluating more than a dozen scanning tools. 'About 18 months ago, that was the best choice for us,' said John Kemon,information security analyst for Open System Sciences.Rather than searching for signatures, the WebInspect scanning engine works like an automated hacker, using known techniques and methods to find vulnerabilities. If it finds a problem, such as input data not being validated, it will experiment with commands for SQL injection to determine what is accepted and what types of manipulation are allowed. The engine is updated regularly to keep it abreast of new techniques.USAID uses 12 WebInspect scanners to check its six networks, all managed from a central Assessment Management Platform server. Setting it up and making it operational was easy, Kemon said. There were no big problems, only minor bugs to work out.The scanner not only found security problems, it also replaced a number of other point solution tools used for tasks such as measuring Section 508 compliance, finding broken links and looking for cookies.'By getting this, we were able to get rid of a lot of other tools,' Heneghan said. 'They were useful, but from a management point of view, it was a nightmare.'In its first phase of operations, the agency is using WebInspect to find and correct problems in spot-checks of existing applications.'We're still trying to clean up all of the old applications,' Heneghan said.Once that has been achieved, the next phase will be ongoing, regularly scheduled scans to make sure that all applications stay secure.The third phase will be to include vulnerability scans as a regular part of the development process for quality assurance.'We're doing that on an as-called basis now,' Heneghan said. 'When the programmers see it, they love it.'

You have to be able to use what you learn

The WebInspect vulnerability scanner from SPI Dynamics produces a wealth of information for the Agency for International Development about the security of its Web resources.

'But we're in the fix-it business,' said Bill Geimer, program manager for USAID contractor Open System Sciences. 'It doesn't mean a thing if you can't use it to get things fixed.'

This means that the data from the scans has to reach the administrators and executives around the world who own those resources in a way that is useful.
The quality of the information provided by WebInspect is fine, said USAID CISO Phil Heneghan. The reports not only identify vulnerabilities, they prioritize them and provide information on correcting them. But the quantity is a problem.

'The reports are almost too big,' Heneghan said. An initial scan of a system can produce 400 or 500 pages of data, far more than the average administrator has time to wade through.

A solution to this will be to Web-enable the WebInspect reports, letting administrators find the information they need through a Web portal rather than a printed report. SPI Dynamics plans to include this feature in a future release of its product. The feature will also make it easier to tailor reports for specific audiences.

'You can point and click and get all the technical jargon,' said John Kemon, information security analyst for Open System Sciences. 'But at the end of the day, you need to have the support of the executive level,' who do not have the technical expertise of systems administrators.

Deciding when applications get fixed requires prioritizing not only the vulnerabilities, but also the application itself and the processes it is associated with.

'The process is as important as the technology,' Geimer said.

Checking UP: Phil Heneghan says USAID runs six networks worldwide.

Rick Steele





























Next frontier


























NEXT STORY: Air ops centers get net-centric

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.