Source code analysis tool key to absentee ballot system

PostX turned to the Fortify Source Code Analysis tool for help developing an absentee ballot request system for the U.S. Armed Forces.

Scott Olechowski calls it "the sleep at night factor." The more secure an online application, the better everyone sleeps.

Olechowski ought to know. His company, PostX, developed the Interim Voting Assistance System (IVAS) for the Department of Defence (DoD) so that deployed military personnel can securely request and receive absentee ballot packages via the Web and email through computers or mobile devices. The system is the very definition of a high-profile application, and the email encryption company utilised the Fortify Source Code Analysis tool as part of its secure development best practices.

The goal of the IVAS Absentee Ballot Request system is to reduce the amount of time it takes for deployed U.S. Armed Forces to request and receive absentee ballots. Previously, members of the military had to use regular mail to request an absentee ballot from local election officials, who then mailed the ballot to them -- a process that could take up to six weeks. "And you're hoping they're still stationed where they were when they made the request -- the same foxhole, the same iceberg. It's a pretty big challenge," said Olechowski, vice president of business development at PostX.

The DoD has been working to solve this problem through its arm, the Federal Voting Assistance Program (FVAP). When PostX was selected by the Business Transformation Agency of the DoD to develop the online system, "one of the top concerns for team was security," Olechowski said. "It's one of the key themes for our company, and why we worked with Fortify."

"If a vulnerability were found, it could be ruinous to PostX. Using [Fortify] as part of the process ups that 'sleep at night' process.
Scott Olechowski
VP of business developmentPostX

The stakes are high for both the DoD and PostX. There is "a spotlight put on any sort of voting application that has word 'electronic' around it," Olechowski said. In addition to risking the public trust in the election process should there be a breach, the reputation of the software developer is also at stake. The IVAS "is such a great attack target," Olechowski said. "If a vulnerability were found, it could be ruinous to PostX. Using [Fortify] as part of the process ups that 'sleep at night' process."

Any application that includes the world "voting" is an issue of trust, said Mike Armistead, co-founder and vice president of products at Fortify Software in Palo Alto, Calif. "PostX had a tradition of building security into their applications. We helped accelerate that and expanded all the areas they could look for based on our knowledgebase of vulnerabilities," he said.

PostX has been using Fortify's source code analyser for about a year now. "Fortify has become part of our entire development process," Olechowski said. "Every nightly build gets analysed."

For the absentee ballot request system, PostX leveraged its PostX Messaging Application Platform (MAP) and built the customisations for the IVAS system. It is integrated with the Defence Enrollment Eligibility Reporting System (DEERS), an authentication system. With this new system, military personnel seeking absentee ballots log on to the FVAP portal to find their participating state section. They can check their registration status and request ballots. If approved, an absentee ballot is sent to them in a secure message and the soldiers then prints the ballots and sends it via regular mail back to the local election board.

PostX started the project in July, and it went live Sept. 1. The application is being hosted in a third-party Pentagon contractor-approved data center, Olechowski said, and PostX is managing the application. Three states had already approved the use of the system, and more were expected, he added. Once a state has approved the system, the individual local election boards can choose to sign up.

For PostX, the project involved three people who focused on customising the system for the DoD. Given the compressed timeframe of the project, Olechowski said using an automated code analyser helped speed that process.

"The frank reality is we would never be able to do manually what Fortify does for us automatically. There is an infinite amount of time you could spend looking for things you're not aware of. We probably would have had an extra person on a project like this just standing by keeping eye on all check-ins," he said.

More information on source code analysis
Source code security scanners: A revamped option for securing custom software

Static and dynamic code analysis: A key factor for application security success

Application vulnerability detection improved by Fortify, Watchfire partnership

While manual code reviews are still necessary, use of the tool reduced the time required. "We were doing nightly manual reviews that were a couple of hours versus all day," Olechowski said.

Use of an automated code analyser was not required by the DoD, but the agency did want to know about the vendor's secure coding practices, Olechowski said. Explaining how the use of the code analyser as part of their overall best practices "gave them tremendous comfort around the process. There is only so much developers who are focused on deadline can code with that [security] in mind, and they understood that. But knowing we are covering a whole range of vulnerabilities gave them inspired confidence."

Fortify earlier this week announced availability of version 4.0 of its Source Code Analysis Suite, which includes new management and reporting features; integration of the Findbugs open-source program with the Fortify Audit Workbench; and integration with build and development environments that utilise tools such as Apache ant, Unix make, and Windows make. Additional language support includes Cold Fusion 5.0 and JSP Expression Language, as well as expanded structural analysis for .NET.

Read more on IT risk management