United States

General Services Administration

Consolidated Security Scan Findings Database and Workflow Management Tools Suite.
CTA provided data engineering and application development services to the United States General Services Administration (GSA) to design and implement a custom web-based process support application and data platform to collect and standardize system security scan data and to track and manage remediation activities.

General Services Administration

Background

The GSA Federal Acquisition Service (FAS) Information Security (InfoSec) group is responsible for monitoring the security of internal GSA servers, databases, and web applications. InfoSec security engineers perform regular vulnerability scans on key GSA systems, analyze any discovered vulnerabilities, and coordinate remediation activities. Security scans of the various systems are conducted using several third-party scanning tools, which generate logging of all discovered vulnerabilities. The output from these scans can contain thousands of individual vulnerabilities ranging in importance from critical to insignificant, with some percentage of these vulnerabilities being false positives. The structure and format of the scan data was unique to each vendor and scanning tool. Converting the scan findings into a trackable and reportable form required a time-intensive manual process to triage, analyze, assign, update, and close each finding. Meeting formal reporting requirements involved a further layer of manual cut-and-paste effort, which delayed communication and remediation of important security vulnerabilities.

The primary driver for this effort was the need to consolidate scan data to a common platform and data structure for the purpose of supporting rapid review of a large volume of findings to determine appropriate action and quick assembly of standardized reports to meet internal and external reporting obligations.

General Services Administration

Solution Approach

CTA’s approach to FAS InfoSec’s challenge was to design and implement a custom data platform to create a single common data structure for all scan data and a web-based application to collect and manage scan data and provide access to required reports. System design focused on four primary objectives…

  • Creation of a standardized data structure to merge tool-specific scan output
  • Automation of scan data input and standardization
  • Creation of web-based process support tools to facilitate vulnerability analysis and management of remediation efforts
  • Automation of compliant report output

Our team is built with

the best minds from
around the world

Join the team that is constantly seeking new challenges, delivering cutting-edge solutions, and partnering with clients who are changing the world.