Minnesota Driver and Vehicle Services took down their web site for online license tab renewal in response to a Legislative Auditor’s report sharply criticizing the lack of security in the site. The report is less than kind.
Good. This should be a wake-up call.
The report centers around the fact that DVS did not address findings and recommendations in a 2001 audit. There was no security program in place, inadequate documentation and processes to support secure software development and deployment. The system was found to be vulnerable at several levels: not just the application code, but network and database access as well. I credit DVS for shutting down the site and can commiserate with their lack of resources to address the problem. State government budgets are being cut right and left, and like it or not intangibles like security are often the first victims. Taking the site down might just make it seem a bit more real.
For me personally, the timing of the audit report could not be better. On Tuesday I’m delivering a presentation about web application security to college and university IT staff from throughout the state. My focus is on integrating security throughout the software development life cycle. I’ll be touching on topics such as developer training, security requirements, misuse cases, threat modeling, code review, penetration testing, maintenance and monitoring. It will be nice to have this audit report to bolster my message. And it’s clear that upper management is standing up and taking notice.
A final note. Chris Buse, an auditor who worked on this review, stopped through our offices a couple months ago and poked his head in on a web team meeting. “Say,” he asked, “are you familiar with the OWASP Top Ten?” Coincidentally, we had just been talking about it, so to my enormous gratification everyone around the table nodded their head with an air of “oh yeah, that’s old hat.” It isn’t, but we’re getting there. The projects we’re working on now, apps that will be rolled out this summer, are in good shape. I am so much more confident than ever before about the state of security in our current web development. It’s a good feeling.