case study     CYBERSECURITY Virginia program slashes
vulnerabilities in web apps
The Virginia Information Technologies Agency’s program scans for problems and tests to see whether they are being exploited
BY STEPHANIE KANOWITZ
The Virginia Information Tech- nologies Agency has reduced the number of high-risk vul- nerabilities affecting its web applica- tions by 30 percent in one year by de- ploying a program that scans and tests for weaknesses.
VITA’s program, implemented in 2016, uses a scanning tool from web security firm Acunetix to check thou- sands of public-facing and internal web applications at nearly 70 state agencies every quarter. It can identify more than 600 web application vulnerabilities, in- cluding those on the Open Web Appli- cation Security Project’s list of the top 10 risks and configuration errors.
“We make sure that we’ve identified the vulnerabilities for each one of those and that there’s a remediation plan to fix those at least high and medium vulnerabilities on the systems so that we’re protecting ourselves,” said Mike Watson, Virginia’s chief information security officer. “We’ll actually test the vulnerabilities we’re finding and see if they’re executing properly.”
Additionally, Watson’s team helps agencies interpret scan results. He credits that extra step with decreasing high-risk vulnerabilities in the fourth quarter of 2017, compared to the same time the year before. The number of medium-risk items rose slightly, but
that’s to be ex- pected because more vulner- abilities were announced and agencies added sites, he said.
“We make sure that we’ve identified the vulnerabilities for each one of those and that there’s a remediation plan to fix those at least high and medium vulnerabilities on the systems so that we’re protecting ourselves.”
42 GCN JUNE/JULY 2018 • GCN.COM
After agen-
cies address any
vulnerabilities,
VITA scans the
systems again.
High-risk vul-
nerabilities,
such as SQL in-
jections, must be fixed quickly, while medium-risk ones, such as a brute force-style attack or encryption prob- lems, have a longer deadline.
— MIKE WATSON, VIRGINIA’S CISO
“We’re not giving them just a ‘Hey, this tool picked up this issue. Why don’t you go look into it?’ We’re able to show them exactly where the problem is [and] point them in the right direction for exactly what type of changes are necessary in order to make their web application secure,” he said.
Other states have similar scanning protocols. For instance, New York uses automated tools to scan systems, com- puting and network devices, web ap- plications and application code, and issued a standard for vulnerability scanning in 2015. And like VITA, the Texas Department of Information Re- sources offers vulnerability scanning of web applications at no cost for state agencies. •
VITA had been scanning web ap- plications for years but was not meet- ing agencies’ expectations. “The No. 1 thing we kept hearing back from agen- cies was, ‘It doesn’t work’ or ‘I’m not seeing that vulnerability that you’re finding,’” Watson said. “So we took it that further step to make sure that we were actually testing vulnerabilities to see if they were being exploited or not.”
In addition, VITA offers services that help agencies understand and fix the problems because many lack the in- house expertise to address the issues.