Maley: Here’s How Firing REALLY Went Down

SANTA CLARA, Calif. — Former State of Pennsylvania CISO Robert Maley has been watching all the news about his firing for talking about a security incident without permission at last month’s RSA conference. He wants everyone to know that they shouldn’t believe everything they read and hear.

He began a talk on application security at CSO Perspectives 2010 Tuesday by going off topic and addressing the controversy head on.

He said he was at RSA while on vacation because the state had cut the security budget by 38 percent, eliminating things like conference travel. “Being responsible for securing the information of 12 million citizens, I always felt events like this one and RSA are huge because of what you can learn from others,” he said.

He said he chose to discuss a scam targeting the online driving test system at the Pennsylvania Department of Transportation as an example of how successfully the security program he built over three years worked. Because of state Website monitoring procedures, the incident was caught early, he said.

“By the time I talked about it at RSA, the matter was totally closed,” he said.

Contrary to public reports, Maley said he wasn’t fired specifically for talking about the incident. Rather, it was for disobeying an order his boss sent by e-mail telling him not to do such a thing again.

Since the firing, Maley has been described as everything from a martyr in the cause of full disclosure to a careless exec who should have known better. In a previous interview, he said his comments never put the state’s data at risk and he talked because he wanted to promote the success the state has made in the information assurance world. In a survey of CSO readers last week, most suggested his firing was justified because he knew the rules from the beginning.

Now that he’s a “former” CISO, Maley is continuing to speak out at conferences like CSO Perspectives, specifically on how to achieve application security.

He recounted some of the other incidents the state suffered in recent years, including a significant SQL injection attack that redirected citizens to malicious sites. Because of an app development process that did not prioritize security at the beginning, Maley said attackers had no trouble finding vulnerabilities in legacy applications to exploit.

“Security was not ingrained in the software development lifecycle, it was always about meeting the delivery date of new apps,” Maley said. “The legacy apps were horrendous.”

So Maley and his team fought to change the app development culture, emphasizing secure coding at the beginning of the process. The result was CA2 — the Commonwealth Application Certification and Accreditation program — patterned after the Department of Defense’s accreditation process for systems.

In an earlier interview on CA2, Maley said one of the challenges is that, like a lot of organizations, the state has to be mindful that a lot of Web-based apps are the target of cross-site scripting and SQL injection attacks. “We have to constantly search for things that can be exploited and mitigate the problems before something happens. The bad guys are escalating their SQL injection attacks. We see these attacks constantly, in the thousands,” he said at the time.

Now, whether a Web application is developed in-house or outsourced it now has to go through the CA2 process before going live. Part of that process is that the programs have to be pen tested, put through source code analysis and be monitored closely after deployment.

Asked about his future, Maley said he doesn’t have a new job yet. But he’s confident he won’t have to wait long.