Motivating the insufficiently alarmed
It took some very public scandals, including a takedown of the government's Web site and published descriptions of vulnerabilities in the voter registration site, for the Commonwealth of Pennsylvania's IT team to be able to free up the budget for penetration-testing tools and beef up security for its Web development practices.
"In government, there's a big push for e-government and that's great because we should be giving citizens access to resources. But there's not enough testing of these new Web applications before they are deployed, and yet they have a huge door called Port 80 that's not secure," says Robert Maley, the commonwealth's chief information security officer.
Maley, who came onboard almost three years ago, says he had been pushing for increased penetration testing of all systems but was told the technology and human resources required were too expensive. He was able to squeak a few dollars out of the budget to buy an automated tool and train his team to run it against the government's 80,000 endpoints and 100,000 business partner connections.
But earlier this year, five portal Web sites were breached with a SQL injection launched from China. The government's main Web site was down for six hours, making local and national headlines. Maley used his penetration-testing tool to do a post-mortem on the attack and shore up any other holes. Then, a month ago, the commonwealth came under fire again when someone published a vulnerability in the voter registration database that allowed citizen data to be viewed.
"That bad press was the final thing I needed to eliminate any pushback and to create a sea change in the culture here," he says. Although there is still not enough money to bring in outside consultants, Maley is working closely with his own security team to test application code in development and in production and to train developers on security practices. "We have checks and balances on everything we do now," he says; "for instance, before a site goes live, we do penetration testing against the hardware, software, operating system and application itself."
Ready to get started? We've got five steps to successful and cost-effective penetration testing -- and five free pen-testing tools to check into.