Scott Olechowski calls it "the sleep at night factor." The more
secure an online application, the better everyone sleeps.
Olechowski ought to know. His company, PostX, developed the
Interim Voting Assistance System (IVAS) for the Department of
Defence (DoD) so that deployed military personnel can securely
request and receive absentee ballot packages via the Web and email
through computers or mobile devices. The system is the very
definition of a high-profile application, and the email encryption
company utilised the Fortify Source Code Analysis tool as part of
its secure development best practices.
The goal of the IVAS Absentee Ballot Request system is to reduce
the amount of time it takes for deployed U.S. Armed Forces to
request and receive absentee ballots. Previously, members of the
military had to use regular mail to request an absentee ballot from
local election officials, who then mailed the ballot to them -- a
process that could take up to six weeks. "And you're hoping they're
still stationed where they were when they made the request -- the
same foxhole, the same iceberg. It's a pretty big challenge," said
Olechowski, vice president of business development at PostX.
The DoD has been working to solve this problem through its arm,
the Federal Voting Assistance Program (FVAP). When PostX was
selected by the Business Transformation Agency of the DoD to
develop the online system, "one of the top concerns for team was
security," Olechowski said. "It's one of the key themes for our
company, and why we worked with Fortify."
 | | | | | "If a vulnerability were found,
it could be ruinous to PostX. Using [Fortify] as part of the
process ups that 'sleep at night' process.
Scott Olechowski
VP of business
developmentPostX |
| | | | | |
| |
|
The stakes are high for both the DoD and PostX. There is "a
spotlight put on any sort of voting application that has word
'electronic' around it," Olechowski said. In addition to risking
the public trust in the election process should there be a breach,
the reputation of the software developer is also at stake. The IVAS
"is such a great attack target," Olechowski said. "If a
vulnerability were found, it could be ruinous to PostX. Using
[Fortify] as part of the process ups that 'sleep at night'
process."
Any application that includes the world "voting" is an issue of
trust, said Mike Armistead, co-founder and vice president of
products at Fortify Software in Palo Alto, Calif. "PostX had a
tradition of building security into their applications. We helped
accelerate that and expanded all the areas they could look for
based on our knowledgebase of vulnerabilities," he said.
PostX has been using Fortify's source code analyser for about a
year now. "Fortify has become part of our entire development
process," Olechowski said. "Every nightly build gets analysed."
For the absentee ballot request system, PostX leveraged its
PostX Messaging Application Platform (MAP) and built the
customisations for the IVAS system. It is integrated with the
Defence Enrollment Eligibility Reporting System (DEERS), an
authentication system. With this new system, military personnel
seeking absentee ballots log on to the FVAP portal to find their
participating state section. They can check their registration
status and request ballots. If approved, an absentee ballot is sent
to them in a secure message and the soldiers then prints the
ballots and sends it via regular mail back to the local election
board.
PostX started the project in July, and it went live Sept. 1. The
application is being hosted in a third-party Pentagon
contractor-approved data center, Olechowski said, and PostX is
managing the application. Three states had already approved the use
of the system, and more were expected, he added. Once a state has
approved the system, the individual local election boards can
choose to sign up.
For PostX, the project involved three people who focused on
customising the system for the DoD. Given the compressed timeframe
of the project, Olechowski said using an automated code analyser
helped speed that process.
"The frank reality is we would never be able to do manually what
Fortify does for us automatically. There is an infinite amount of
time you could spend looking for things you're not aware of. We
probably would have had an extra person on a project like this just
standing by keeping eye on all check-ins," he said.
While manual code reviews are still necessary, use of the tool
reduced the time required. "We were doing nightly manual reviews
that were a couple of hours versus all day," Olechowski said.
Use of an automated code analyser was not required by the DoD,
but the agency did want to know about the vendor's secure coding
practices, Olechowski said. Explaining how the use of the code
analyser as part of their overall best practices "gave them
tremendous comfort around the process. There is only so much
developers who are focused on deadline can code with that
[security] in mind, and they understood that. But knowing we are
covering a whole range of vulnerabilities gave them inspired
confidence."
Fortify earlier this week announced availability of version 4.0
of its Source Code Analysis Suite, which includes new management
and reporting features; integration of the Findbugs open-source
program with the Fortify Audit Workbench; and integration with
build and development environments that utilise tools such as
Apache ant, Unix make, and Windows make. Additional language
support includes Cold Fusion 5.0 and JSP Expression Language, as
well as expanded structural analysis for .NET.