The public agency that overseas the operations of the federal government released four mobile apps without checking for security risks that are known to affect confidentiality, integrity and availability when exploited.
The finding was raised in a new report from the inspector general in charge of monitoring the General Services Administration, which has been tasked with encouraging federal agencies to offer more services through mobile devices. But the focus may shift more toward security in light of the inspector general’s determination that “none of the released mobile applications underwent required security assessments and authorizations.”
GSA investigators did not reveal in the report which specific apps were susceptible or when they were published, but the revelation suggests a security blind spot for app developers at the GSA and other possibly organizations that are eager to satisfy growing demand for mobile accessibility.
Data not secured
Investigators with the inspector general’s office began to look at app security as part of a broader assessment of whether the GSA’s mobile initiatives were consistent with the agency’s strategic goals and a White House initiative launched last year to get federal agencies to provide customer-facing services on mobile devices.
Specifically, investigators found that the apps did not undergo an assessment and authorization process that is required as part of a 2002 law. They also found that GSA rules for evaluating apps — released after the four apps were published — “did not comprehensively address mobile security risks.” The apps in question were susceptible to “weak server side controls, insecure data storage and insufficient transport layer protections.”
GSA accepts findings
The inspector general’s office concluded its audit with a list of recommendations, some of which urged the GSA Chief Information Officer Casey Coleman to develop security standards that addressed the following risks:
- Exploitation of vulnerabilities due to poor programming practices
- The compromising of sensitive application data
- Not completing security assessment and authorization requirements
An Aug. 22 memo from Coleman that was included in the audit stated that the GSA as a whole agrees with the findings and recommendations.Tags: IT Security,Technology