The Office of the Inspector General assessed nine websites operated by the Department of Homeland Security, which has over 125 publicly accessible websites in total. It found that, while operating system configuration followed best practices, few of them have the tools or experience to assess web applications in the same way.
This discovery reflects a recent report from the SANS Institute, which said that organisations were too heavily focused on securing operating systems, when web applications represented the biggest security vulnerability.
"These vulnerabilities could put DHS data at risk", said the report. "In addition, DHS can make improvements in managing its system inventory and providing technical oversight and guidance in order to evaluate the security threats to its public facing websites."
Website inventory was still poor, according to the report, which said that the Customs and Border Patrol website was not certified or accredited. Neither was it inventoried under a general support system or major application. And the main public website for the United States Secret Service is still hosted by the Treasury Department, with no official agreement to ensure its protection.
Large sections of the report detailing exact vulnerability assessments were redacted. However, the recommendations to the Department of Homeland Security were left public. It should require periodic security vulnerability assessments, apply security patches promptly, clarify its vulnerability assessment policy and guidelines, and inventory the public-facing website elements of major applications, the report said.
It should also direct the Customs and Border Patrol to certify and accredit its public facing website. The United States Secret Service should also move its website under the Department of Homeland Security's security program.
The websites operated by other agencies such as the Federal Emergency Management Agency, National Protection and Programs Directorate, and United States Coast Guard contained no critical or high security vulnerabilities, according to the report, which said that they set the example of an effective defense-in-depth approach to security.