Posted by: Eric Parizo
laws investigations and ethics, Robert Maley, Web application security
As first reported last week in the The Patriot-News of Pennsylvania and other outlets, Pennsylvania CISO Robert Maley was either fired or resigned under pressure following an appearance at RSA Conference 2010.
It’s been widely reported that the man credited with building Pennsylvania’s information security program from scratch lost his job because at RSA he revealed a design flaw in the commonwealth’s driver’s exam-scheduling Web application. SearchSecurity.com alum Dennis Fisher writes on ThreatPost.com that Maley’s firing is bad for the industry, and while it’s hard to argue any of Fisher’s points, there are some important details that have thus far been overlooked.
At RSA, Maley not only spoke on a panel with other state CISOs, but he also led his own session on changing the culture of application security. SearchSecurity.com was at that session, and the first thing Maley noted was that a travel ban was in place for Pennsylvania officials due to the state’s economic troubles, which barred him from speaking in an official capacity. He then said he was at RSA on “vacation” but considering that the content of his talk was entirely focused on his work as Pennsylvania CISO, it’s not a stretch to believe that alone would have been grounds for his dismissal.
In addition to the exam-scheduling application issue, Maley also discussed a number of other security issues within his organization that may not have pleased officials back home, including past SQL injection attacks on state websites, a control for an open Lotus Notes system that could have led to a system compromise, and a 2008 cross-site scripting vulnerability in a voter registration website that exposed voters’ personal information.
Yet what’s especially odd about the timing is that Maley delivered a similar presenation at the RSA Conference in 2009. Why did the talk cost Maley his job now? Sources speculate that it was a combination of violating the state travel ban and choosing to discuss the issue with the exam-scheduling application, which is still under investigation. Maley himself has discussed at length the political upheaval his state-wide security policy changes have caused, and as a result he surely wasn’t in the business of making friends in Harrisburg. It’s easy to see how once word of his RSA appearance got out, there were plenty of people there ready and waiting to drop a dime on him. So it stands to reason that even in information security, politics is still politics.