How A Flaw In VA Software Was Found

Researcher Describes 'Adversarial Security Analysis'

Security analyst Doug Mackey says his discovery of a vulnerability in the Department of Veterans Affairs' VistA electronic health record system highlights the importance of software security testing.

"It's very important to conduct proper adversarial security analysis of your software in addition to penetration testing," he says.

Mackey, a former security analyst for Australia's Department of Defense, conducted his research on the VA's open source software as part of his graduate work in information security at the Georgia Institute of Technology.

The vulnerability he discovered in the VA's Veterans Health Information Systems and Technology Architecture software was related to its remote messaging capabilities, he says. The flaw was introduced into the software in 2002 and remained undetected for more than a decade until Mackey identified it in June, he claims.