18-09, CNCS Web Application Vulnerability Assessment

18-09, CNCS Web Application Vulnerability Assessment

The CNCS OIG contracted with CLA, LLP to review the controls put into place by the CNCS OIT to secure three internal web applications and associated infrastructure resulting in five recommendations. The objectives were to assess and report any risks that could lead to information technology security incidents, recommend improvements in the operations of the information systems, and identify gaps between the Corporation's current information security posture and industry best practices. CLA found critical application vulnerabilities, missing patches and unsupported software, incorrect documentation, and configuration weaknesses. CLA recommended that CNCS improve its patching effectiveness, update unsupported software, fully remediate configuration weaknesses and noted vulnerabilities, practice secure coding, and update its documentation.