Code Reviewed, Systems A Go: Successfully Transitioning a State's Core Tech In-House

The customer:

An Australian state independent statutory authority (further referenced as 'The Authority').

The challenge:

Following the purchase of a third-party’s system and before bringing said system in-house, The Authority required an independent review of the system’s code to identify and remediate any issues. 

The solution:

NCC Group conducted a comprehensive code review. 

The benefits:

By substantially reducing residual cyber risk, NCC Group gave The Authority the assurance and confidence it required to take full ownership of a business-critical system. 

An Australian state independent statutory authority bought a third party’s system – an integral cog of the Australian election machinery – with the intention of bringing it in-house.  Accountable for executing the election process, The Authority required absolute control over the platform.  

Given the system was business critical to executing a fair and democratic election, before initiating the transition and taking full ownership, The Authority required an independent review of the system’s code to identify and remediate any issues. At the same time, The Authority was also onboarding a new third-party provider, responsible for the ongoing management of the code.   

To tackle this challenge, The Authority issued a closed request for services to identify a trusted partner capable of conducting a comprehensive code review. After evaluating the options, they selected NCC Group, a globally recognised cyber security and risk management firm, to carry out the engagement. 

NCC Group's role was clear: provide an independent and in-depth analysis of the system’s code to identify potential security vulnerabilities, remove hard-coded references, and remediate all issues in time for The Authority to take ownership. 

Over the space of 12 months, NCC Group conducted a methodical deep dive into the code. The review also encompassed a comprehensive assessment of the code's functionality to ensure it would seamlessly operate under The Authority’s management.

Despite the time-sensitive nature of the review and the large volume of code involved, the outcome of this engagement ensured a successful transition. After 12 months of analysis, NCC Group completed the code review, enabling The Authority to take full ownership of the system four months prior to its next requisite date of deployment. 

The key quantifiable value delivered by NCC Group’s solution was the substantial reduction of residual cyber risk. The Authority now had the assurance that, upon taking full control of the system, they were not inheriting any security risks or operational issues from the previous owner that could potentially disrupt its operations. 

With the code now fully compliant with the OWASP coding standard and The Authority’s requirements, The Authority was confident of the system’s ability to function seamlessly during the next election.  Most importantly, it gave them peace of mind to proceed with using one of their most crucial systems in a highly public process, knowing they were fully prepared to provide a successful, fair, and transparent service.

In conclusion, the collaboration between The Authority and NCC Group was instrumental in ensuring a smooth and secure transition, ultimately enabling The Authority to confidently take ownership of a system that would play a pivotal role in successive Australian state elections.