SLI Compliance offers end-to-end security test methods designed to validate the security and privacy of all aspects of your system. We focus on vulnerabilities that could compromise confidentiality, integrity, and availability in each aspect of your system, voter experience, election official experience, servers, and websites. Where risks are identified, we itemize corrective actions and compensating controls, including system configurations and architecture that can mitigate concerns.
SLI Compliance security services include testing and validation of the following:
- Voter Registration
- Ballot Creation
- Transmission of Ballots and Receiving of Marked Ballots
- Recording and Tallying of Results
- Voter Confidentiality
- Audit/Recount Process
- Susceptibility to Hacking
- Denial of Service
- Modification of Results
- Penetration Testing
- Insertion of Trojan Horses
- Ballot Stuffing
- Modification of the Ballot
- Votes Marked
SLI Compliance security staff conduct analyses to ensure the security techniques being used in the system are valid and that effective security procedures are contained in the design.
Security features are compared for validity against industry-standard techniques, and we ensure techniques being used are effective as built and recommend enhanced techniques where needed. The end-to-end security process is reviewed to identify any weaknesses in the security chain, and we pay particular attention to any aspects of the overall design that could place the system at risk.
Security Software Reviews:
Source Code is subjected to analysis using various tools to determine possible security risks. SLI checks the system to con‑rm methods exist to prevent issues like buffer overflows, pointers not being freed, penetration attacks, and unauthorized insertions of code.
Security algorithms and policies are reviewed to validate correct implementation. Our experience shows that industry-standard algorithms may be present, but if the policies are not correctly implemented, the system may not be as secure as stated.
Finally, we ensure that the code contains no hidden functionality, such as Trojan horses, conditional compilation flags, test flags, or hardcoded passwords.
Trusted Builds:
The final reviewed source code is compiled and tested using a trusted build process to ensure that a clean environment is used, and only approved elements go into the build.
SLI Compliance will perform a Trusted Build using procedures provided by the voting system vendor, where source code is converted to machine-readable binary instructions (executable code) in a manner providing security measures that help ensure that the executable code is a verifiable and faithful representation of the source code.
When performing trusted builds, we use hash checking methods to confirm the software and data have not been modified in any manner from the originally tested baseline.