The approach to government website security needs revision
Dear Editor, The government needs to enforce computer security. Little attention is given to web security on government public-facing websites and more to design and content delivery. While it is very important that public information is delivered through the various ministries and agencies, they also pose a risk to the security of the layers below. None of the government websites are secure and all are very vulnerable to snooping, among other types of unwanted behaviour. All sites should be encrypted and served over a secure connection. In addition, the expectation should be that this development is standard across ministries and the continuous dependence and use of third party integrations should be limited, or managed in such a way that the risks involved in using them are known and are at an acceptable level.
It is important to note the Guyana Revenue Authority and the Bank of Guyana websites. These are two very important websites and one utilizes encryption and the other does not. This indicates a disconnect with regards to standards in relation to a government IT level and the requirements of the agency. While the GRA’s website offers services that require the provision of information for the verification of various transactions with the agency, it does not provide a secure connection and the data provided is queried on a database that resides in the agency. If
there is some special type of segmentation, then that can be assumed is an acceptable risk. If not, then this is significant because it means that the database is live and provides very current and not historical data. The inputs are not sanitized and accept any type data input which is unacceptable and very susceptible to a SQL injection. In contrast, the Bank of Guyana uses secure encryption and does not facilitate similar interactions. However, the ‘Mail’ link at the top of the page does not direct a user to a user mail module but to the ‘host’ login page of the Bank’s website.
This may not seem like a very important issue but it really is. Keeping this obscured is a better approach. This too indicates that there is no standard web development framework, revision, certification and accreditation of the basic, public-facing websites of the state.
There is dire need for a total revision of the security posture of government websites. The push towards an eGovernment approach is needed now more than ever, and the focus should be on the development of centralized security controls. These controls will ensure that the application layer offers a level of acceptable security and should contribute to the protection of the layers below, on which they’re hosted. Although this may be a very laborious undertaking, it will ultimately achieve uniformity and improved performance. With the development of a comprehensive security policy that takes all the public-facing ministries and agencies into consideration, their components should be defined and enforced consistently.
Yours faithfully, Dustin Fraser