Verisign's flagship PKI system successfully became an official managed PKI provider of the U.S. federal government thanks to TDI.

TDI performed Assessment & Authorization (A&A) services on Verisign’s flagship PKI system as part of Verisign’s efforts to become the premier PKI provider within the federal government. During the course of our A&A activities, one of the key efforts TDI was involved in was system source code review and analysis. The goal was twofold. First, several of the security controls required by the A&A process to be in place for the system involved deploying an automated tool for source code analysis to facilitate future system audits and certifications. Second, the A&A process required evidence that the actual source code for the system does not contain any critical vulnerabilities for the system to be successfully authorized. TDI validated both requirements by first accessing the production system environment and verifying that source review tool was deployed, and second by executing a full source code review process using the deployed proprietary Verisign source code review tool. The source code review was executed against the entire code base within the development environment for the PKI system. Our efforts pointed out coding practices within the codebase that required attention, which upon further manual review by TDI warranted recommendations for improving the secure coding practices at Verisign.

As a result of TDI’s efforts, not only did the PKI system successfully win the bid to become the official PKI provider of managed PKI services within the federal government, but due to TDI’s review of source code and tool analysis the coding process employed at Verisign for the system was deemed in need of improvement. It is worth noting that the recommendations TDI provided were not due to the features of the automated tool deployed by Verisign but rather due to TDI’s expertise with the Java programming language used to implement the majority of the PKI functionality of the system. This learning lesson underscores the importance of both automated source code review and also of expert manual validation of code analysis results given that an automated mechanism is likely to miss programming deficiencies that an experienced developer would not. In addition to the Verisign effort, TDI has also employed the practice of source code automated analysis and manual validation at other large federal and commercial customers.

Testimonials

Don’t take it from us, hear what our clients have to say about TDI

“TDI’s approach to Managed Cybersecurity Performance (MCP) has been a game changer for us. We now have added visibility and insight to better understand risk and the ROI (return on investment) we’re receiving from our other security provider. Our security program continues to mature and we’re able to maintain continuous compliance. MCP gives me one less thing to worry about and frankly makes my job easier.””
Johnny Yang
Director Information Security & Compliance
“TDI always provides top notch personnel that meet or exceed the requirements of the contract. Their deliverables, reports, and technical aptitude are bar none. We will continue to hire TDI … they always come through for us and our end customers.”
Emilio Gonzalez
Joint Strike Fighter Program Manager
“[TDI Employee] You are the Man !! Thanks so much for the quick turn around.”
W.A. Harrison
USAJOBS Program Office Deputy Program Director
“The most appealing part of the engagement was the development of the 10-year strategic security plan for our mutual client. The quality of the thinking and input into the deliverables was exceptional.”
Bruce Gnatowski
Director Verizon Global Services
“On behalf of MCSC, PdM TFITS, Manpower Team, I would like to express our appreciation for the excellence in leadership & teamwork demonstrated by [TDI Staff] over the past 18 months. Her role as a lead IA professional was carried out in a manner above and beyond expectations.”
Beverly Walker
USMC Manpower Branch Manager
“Highly skilled and knows their work. . . exceptional at task preparation & reduced time to perform tasks by 90%. TDI brings quality & care to the table. Lots of companies have good people, but TDI employees really care about the work they do & the collective customers we support.”
Deron Burba
Smithsonian CIO
“TDI and its staff provided high quality testing engagements followed up by concise easy to understand reports. They clearly showed adherence to tasks schedule and offer adequate frequency of client/customer interaction resulting in a very satisfied customer.”
Carla Little-Kopach
Chief, DARPA SSO BPA
“TDI has proven an invaluable asset to the mission of the CTO…have strengthened the overall IA posture of the DEA Enterprise…and continues to further innovate and provide solutions that help sharpen the overriding information technology goals and mission of the Office of the CTO.”
Mark Shafernich
CTO, DEA

Related Case Studies

All Case Studies
Monster calls on TDI to support its cyber requirements and scare away risk

As Monster’s cybersecurity partner for over a decade, TDI helped Monster navigate the difficult waters of Federal compliance by conducting A&A & other cyber efforts delivering roadmaps to protection
TDI brings risk expertise to bear at USDA in RMF & supporting tasks

Across multiple tasks at the USDA TDI provides Risk Management Framework, A&A, continuous monitoring, risk visualization, compliance, and risk and project management.
The IMF Identifies monetary risk globally. TDI ID’ed cyber risk for the IMF

Across internal systems, public facing applications, networks, and mobile devices, TDI has provided risk and vulnerability assessment services to scores of the IMF’s IT assets.

nSights Report


X