Penetration Testing and Attack Simulation for VotingWorks’ Risk-Limiting Audit Software Arlo
Security Compass Advisory, a Kroll business, tested Arlo, VotingWorks’s Risk Limiting Audit platform, in advance of Georgia’s full hand-count audit of the 2020 election results.
VotingWorks, founded in 2018 by election security experts, is a leading non-profit vendor of open-source software for election security. Its offerings include Arlo, a tool they developed in conjunction with the U.S. Department of Homeland Security for performing risk limiting audits (RLAs).
- Highly sensitive data
- Increased public scrutiny
- Potential target for sophisticated threat actors
- Penetration testing
- Ongoing security testing
- A more secure product
- Ongoing software security
- Enhanced public trust
As a company that provides election security products, VotingWorks needs to be able to assure the states, counties and municipalities using its software that the platform can be trusted to protect sensitive election data.
Part of how they carry out that mission is transparency. VotingWorks is a non-profit, and its code for Arlo and their other products is publicly available. However, transparency is only one layer of providing a secure and trustworthy election audit product.
Leading into the 2020 general election, election security and auditing would be under more public scrutiny than ever, with citizens, media and public officials voicing their concerns about how accurately votes were being collected and counted. Furthermore, the stakes of the 2020 election were high enough that insecure software being used to manage election data would be valuable targets for sophisticated threat actors, including state-sponsored groups. Government agencies considering Arlo needed confidence that these threat actors would not be able to tamper with either election results or audit results.
This threat was especially pressing in swing states, and several swing states were planning to use Arlo in 2020 to help them perform RLAs. That included Georgia, whose audit would require reviewing all 5 million of its ballots. Other swing states planning to use Arlo included Michigan and Pennsylvania.
Despite the clear need for security, as of 2020 there was not yet an established federal security standard for RLA software like Arlo. VotingWorks needed to identify an independent partner who had not only strong software security credentials, but also deep experience testing and securing emerging technologies.
After soliciting competitive bids, VotingWorks chose to partner with Security Compass Advisory, now part of Kroll, to penetration-test Arlo before the round of 2020 election audits. The penetration test included both an open-box web application security assessment and a technology-assisted source code review.
The assessment included penetration testing of the software itself, to make sure the logic was developed and implemented securely. It also included an assessment of the infrastructure that Arlo was running on, including both production and staging environments. Testing the environment was important because VotingWorks offers not only the Arlo software, but also hosting and management services for clients using Arlo. The goal of the penetration test was to assess the security of the platform for post-election audits, to merit the trust of both states and voters.
VotingWorks was created on a foundation of earning voters’ trust. Working with Kroll to penetration-test Arlo has brought VotingWorks several advantages that align with that goal:
A More Secure Product
Kroll’s report allowed VotingWorks to identify and remediate findings that could affect the security of Arlo. The penetration test identified three low-risk security issues in the Arlo platform before it was put into service for the Georgia recount. VotingWorks addressed two of them immediately, and worked on solving the third. The penetration test led to a more secure product for Georgia and all other governments that used it to perform RLAs on election results in 2020 and beyond.
Ongoing Software Security
VotingWorks understands that security is not a one-time test, but an ongoing process. The organisation shares this outlook with Kroll. As VotingWorks continues to develop Arlo, and the threat landscape continues to evolve, Kroll will continue to support VotingWorks in its efforts to keep Arlo at the forefront of election security and trust.
By partnering with Kroll for penetration testing and ongoing security testing, VotingWorks can prove its material investment not only in transparency, but in working with security experts to ensure that its software security is tested and improved on an ongoing and meaningful basis. For software used for such sensitive and high-profile purposes as election integrity, this is an important component of building the trust VotingWorks intends to build with governments and voters alike.