Mon, May 13, 2024

Safeguarding Election Security Through Penetration Testing

Discover how VotingWorks joined forces with Kroll to ensure the trustworthiness of its flagship tool, Arlo

The Challenge

Safeguarding Election Security Through Penetration Testing

Founded in 2018 by seasoned election security experts, VotingWorks stood as a leading non-profit vendor, specializing in open-source software for election security. Its flagship tool, Arlo, developed in collaboration with the U.S. Department of Homeland Security, spearheaded risk-limiting audits (RLAs), a critical aspect of its offerings.

Given its role in election security, the assurance of trustworthiness was paramount for VotingWorks. To instill confidence in states, counties and municipalities utilizing its software, the company operated on the principles of transparency. While its code was publicly accessible, transparency formed just one layer in its quest to deliver a secure and reliable election audit product.

As the 2020 general election loomed, public scrutiny on election security and auditing intensified. Citizens, media and officials raised concerns about vote accuracy. The stakes were high, which prompted sophisticated threat actors—even state-sponsored groups—to eye potentially vulnerable election data management software. For government agencies viewing Arlo, the confidence that these threats couldn't tamper with election or audit outcomes was imperative.

This urgency was particularly acute in swing states like Georgia, which had reviewed all 5 million ballots through Arlo's RLAs. Other pivotal states, including Michigan and Pennsylvania, had also utilized Arlo in their election processes.

However, despite the critical need for security, a federal standard for RLA software like Arlo hadn't been established as of 2020. VotingWorks faced the task of identifying an independent partner with robust software security credentials and profound experience in testing and securing emerging technologies to address these pressing security concerns.

Kroll was top of mind.

Kroll's Solution

Safeguarding Election Security Through Penetration Testing

Upon soliciting competitive bids, VotingWorks opted to collaborate with Kroll for the penetration testing of Arlo before the 2020 election audits. This comprehensive penetration test encompassed both an open-box web application security assessment and a technology-assisted source code review.

The assessment delved into the penetration testing of the software itself, ensuring that the logic was not only developed, but also implemented securely. Additionally, it included a thorough examination of the infrastructure supporting Arlo, spanning both production and staging environments. This aspect was crucial as VotingWorks provides the Arlo software and extends hosting and management services to its clients utilizing Arlo. The overarching goal of the penetration test was to evaluate the platform's security for post-election audits, aiming to instill trust in both states and voters.

The Impact

Safeguarding Election Security Through Penetration Testing

VotingWorks, committed to earning voters' trust, found a valuable ally in Kroll during the penetration-testing phase for Arlo. This collaboration yielded several key advantages in line with its foundational goal:

  • Enhanced product security: Through Kroll's assessment, VotingWorks swiftly identified and addressed security findings affecting Arlo's integrity. The rigorous penetration test pinpointed three low-risk security issues in the Arlo platform ahead of its deployment for the Georgia recount. Prompt action led to immediate resolution of two issues, while dedicated efforts were allocated to resolve the third. This proactive approach ensured a more secure product, not just for Georgia, but for all governments utilizing Arlo for RLAs in the 2020 elections and beyond.
  • Continuous software vigilance: Recognizing that security is an ongoing process, VotingWorks aligned with Kroll in this shared perspective. As Arlo continued to evolve and adapt to the threat landscape, Kroll continued to support VotingWorks in its efforts to keep Arlo at the forefront of election security and trust.
  • Strengthened trust: By partnering with Kroll for penetration testing and continuous security assessments, VotingWorks demonstrated a tangible investment in transparency and collaboration with security experts. This ongoing commitment to testing and improvement was a vital component in establishing trust, especially for software integral to sensitive and high-profile purposes such as election integrity. VotingWorks built trust with governments and voters, emphasizing the importance of a robust and continuously fortified security framework overall.

Need help staying ahead of a complex challenge?

Talk to an Expert

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Discover More Client Stories
Client Story

Client Story

Kroll's Managed Detection and Response Services Elevate a UK Bank's Cyber Risk Mitigation Capabilities

Kroll's Managed Detection and Response Services Elevate a UK Bank's Cyber Risk Mitigation Capabilities

Apr 11, 2024
Learn how Kroll's exceptional customer service and security expertise gave their client confidence to continue its growth securely and safely.

Client Stories

Resolving a highly complex security breach for a Global Multinational

Resolving a Highly Complex Security Breach for a Global Multinational

Feb 14, 2023
Discover how Kroll employed its integrated expertise in Cyber Security Services, Financial Fraud, Workflow Assessment, and Physical Security Services to resolve and enable a fast recovery from the damage caused by a highly complex security breach.