NASA Inspector General Paul K. Martin released a report today evaluating NASA’s effort to safeguard its Internet-accessible web applications. These applications consist of hundreds of websites NASA uses to share scientific information with the public and collaborate with research partners, as well as login portals and administrative systems that provide authorized personnel with remote access to Agency IT resources. NASA manages about half of all publicly accessible, non-military Federal websites and the Agency is a regular target of cyber attacks both because of the large size of its networks and because the networks contain technical and other sensitive information highly sought after by criminals.
The audit report focuses on the effectiveness of an Agency-wide initiative known as the Web Application Security Program (WASP). We found that WASP was successful in developing a complete inventory of all NASA web applications and, consistent with best practices, identified vulnerabilities through automated scanning coupled with manual testing. In addition, during the 15-month period ending March 2014, NASA reduced by 15 percent (from 1,500 to 1,200) the number of its publicly accessible web applications. Despite this progress, the OIG found deficiencies in WASP’s design and implementation that leave NASA’s public web applications at risk of compromise.
These deficiencies occurred because WASP did not prioritize identification of security vulnerabilities by seriousness of potential impact, identify the underlying cause of vulnerabilities, identify weaknesses associated with unsound IT security practices, or implement an effective process to ensure timely mitigation of identified vulnerabilities. Moreover, while NASA has made strides in reducing its web presence, the Agency’s remaining 1,200 publicly accessible web applications continue to present a large target for hackers.
The OIG made five recommendations to improve the efficacy of NASA’s web security. NASA proposed corrective action to address the recommendations.
The full report is available on the OIG’s website at http://oig.nasa.gov/ under “Reading Room” or at http://oig.nasa.gov/audits/
For more information or media inquiries, please contact Kathy Shaeffer at (202) 358-1220.