Mon, May 13, 2024
Founded in 2018 by seasoned election security experts, VotingWorks stood as a leading non-profit vendor, specializing in open-source software for election security. Its flagship tool, Arlo, developed in collaboration with the U.S. Department of Homeland Security, spearheaded risk-limiting audits (RLAs), a critical aspect of its offerings.
Given its role in election security, the assurance of trustworthiness was paramount for VotingWorks. To instill confidence in states, counties and municipalities utilizing its software, the company operated on the principles of transparency. While its code was publicly accessible, transparency formed just one layer in its quest to deliver a secure and reliable election audit product.
As the 2020 general election loomed, public scrutiny on election security and auditing intensified. Citizens, media and officials raised concerns about vote accuracy. The stakes were high, which prompted sophisticated threat actors—even state-sponsored groups—to eye potentially vulnerable election data management software. For government agencies viewing Arlo, the confidence that these threats couldn't tamper with election or audit outcomes was imperative.
This urgency was particularly acute in swing states like Georgia, which had reviewed all 5 million ballots through Arlo's RLAs. Other pivotal states, including Michigan and Pennsylvania, had also utilized Arlo in their election processes.
However, despite the critical need for security, a federal standard for RLA software like Arlo hadn't been established as of 2020. VotingWorks faced the task of identifying an independent partner with robust software security credentials and profound experience in testing and securing emerging technologies to address these pressing security concerns.
Kroll was top of mind.
Upon soliciting competitive bids, VotingWorks opted to collaborate with Kroll for the penetration testing of Arlo before the 2020 election audits. This comprehensive penetration test encompassed both an open-box web application security assessment and a technology-assisted source code review.
The assessment delved into the penetration testing of the software itself, ensuring that the logic was not only developed, but also implemented securely. Additionally, it included a thorough examination of the infrastructure supporting Arlo, spanning both production and staging environments. This aspect was crucial as VotingWorks provides the Arlo software and extends hosting and management services to its clients utilizing Arlo. The overarching goal of the penetration test was to evaluate the platform's security for post-election audits, aiming to instill trust in both states and voters.
VotingWorks, committed to earning voters' trust, found a valuable ally in Kroll during the penetration-testing phase for Arlo. This collaboration yielded several key advantages in line with its foundational goal:
Need help staying ahead of a complex challenge?
Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
