Security Compass tested Arlo, VotingWorks’s Risk Limiting Audit platform, in advance of Georgia’s full hand-count audit
Industry: Election Technology
Location: San Francisco, California
VotingWorks, founded in 2018 by election security experts, is a leading non-profit vendor of open-source software for election security. Their offerings include Arlo, a tool they developed in conjunction with the US Department of Homeland Security for performing Risk Limiting Audits (RLAs).
As a company that provides election security products, VotingWorks needs to be able to assure the states, counties, and municipalities who use its software that their platform can be trusted to protect sensitive election data.
Part of how they carry out that mission is transparency. VotingWorks is a non-profit, and their code for Arlo and their other products is publicly available. However, transparency is only one layer of providing a secure and trustworthy election audit product.
Leading into the 2020 general election, election security and auditing would be under more public scrutiny than ever, with citizens, media, and public officials voicing their concerns about how accurately votes were being collected and counted. Furthermore, the stakes of the 2020 election were high enough that insecure software being used to manage election data would be valuable targets for sophisticated threat actors, including state-sponsored groups. Government agencies considering Arlo needed confidence that these threat actors would not be able to tamper with either election results or audit results.
This threat is especially pressing in swing states, and several swing states were planning to use Arlo in 2020 to help them perform RLAs. That included Georgia, whose audit would require reviewing all five million of its ballots. Other swing states planning to use Arlo included Michigan and Pennsylvania.
Despite the clear need for security, as of 2020 there was not yet an established federal security standard for RLA software like Arlo. VotingWorks needed to identify an independent partner who not only had strong software security credentials, but also deep experience testing and securing emerging technologies.
After soliciting competitive bids, VotingWorks chose to partner with Security Compass Advisory to penetration test Arlo before the round of 2020 election audits. The penetration test included both an open-box web application security assessment as well as a technology-assisted source code review.
The assessment included penetration testing of the software itself, to make sure the logic was developed and implemented securely. It also included an assessment of the infrastructure that Arlo was running on, including both production and staging environments. Testing the environment was important because VotingWorks not only offers the Arlo software, but also hosting and management services for clients using Arlo. The goal of the penetration test was to assess the security of the platform for post-election audits, to merit the trust of both states and voters.
VotingWorks was created on a foundation of earning voters’ trust. Working with Security Compass Advisory to penetration test Arlo has brought VotingWorks several advantages that align with that goal:
A More Secure Product: Security Compass Advisory’s report allowed VotingWorks to identify and remediate findings that could affect the security of Arlo. The penetration test identified three low-risk security issues in the Arlo platform before it was put into service for the Georgia recount. VotingWorks addressed two of them immediately, and worked on solving the third. The penetration test led to a more secure product for Georgia and all other other governments who used it to perform RLAs on election results in 2020 and beyond.
Ongoing Software Security: VotingWorks understands that security is not a one-time test, but an ongoing process. They share this outlook with Security Compass Advisory. As VotingWorks continues to develop Arlo, and the threat landscape continues to evolve, Security Compass Advisory will continue to support VotingWorks in its efforts to keep Arlo at the forefront of election security and trust.
Strengthened Trust: By partnering with Security Compass Advisory for penetration testing and ongoing security testing, VotingWorks can prove their material investment not only in transparency, but in working with security experts to ensure that their software security is tested and improved on an ongoing and meaningful basis. For software used for such sensitive and high-profile purposes as election integrity, this is an important component of building the trust VotingWorks intends to build with governments and voters alike.
To learn more about Security Compass Advisory and our penetration testing offerings, visit us at: https://securitycompassadvisory.com/penetration-testing-consulting-services