TDI performed a Certification & Accreditation (C&A) on Verisign's flagship PKI system as part of Verisign's efforts to become the premier PKI provider within the federal government. During the course of the C&A activities, one of the key efforts that TDI was involved in was system source code review and analysis. The goal was twofold. First, several of the security controls required by the C&A process to be in place for the system involved deploying an automated tool for source code analysis in order to facilitate future system audits and certifications. Second, the C&A process required evidence that the actual source code for the system does not contain any critical vulnerabilities in order for the system to be successfully accredited. TDI validated both requirements by first accessing the production system environment and verifying that source review tool was deployed, and second by executing a full source code review process using the deployed proprietary Verisign source code review tool. The source code review was executed against the entire code base within the development environment for the PKI system. Our efforts pointed out coding practices within the codebase that required attention, which upon further manual review by TDI warranted recommendations for improving the secure coding practices at Verisign.
As a result of TDI's efforts, not only did the PKI system successfully win the bid to become the official PKI provider of managed PKI services within the federal government, but due to TDI's review of source code and tool analysis the coding process employed at Verisign for the system was deemed in need of improvement. It is worth noting that the recommendations TDI provided were not due to the features of the automated tool deployed by Verisign but rather due to TDI's expertise with the Java programming language used to implement the majority of the PKI functionality of the system. This learning lesson underscores the importance of both automated source code review and also of expert manual validation of code analysis results given that an automated mechanism is likely to miss programming deficiencies that an experienced developer would not. In addition to the Verisign effort, TDI has also employed the practice of source code automated analysis and manual validation at other large federal and commercial customers.