Background
The U.S. Postal Service continuously strives to improve its [redacted] to become more efficient and responsive to the dynamic market needs of its customers. To [redacted] application is used by over [redacted] is a business-critical application that generated over [redacted] total revenue in fiscal year 2022.
What We Did
Our objective was to evaluate whether the Postal Service had security controls in place to protect the application from cyberattacks, prevent unauthorized access to restricted data, and determine compliance with secure coding practices. We conducted a security assessment of the application including penetration tests to evaluate the application and internal security posture. We also performed a source code review to verify if appropriate security controls were present.
What We Found
Based on our testing, we found the Postal Service implemented network perimeter security controls that limit direct access to the application and help deter known web-based attacks. However, during our security assessment, we identified issues with [redacted]. These issues could lead to attackers gaining unauthorized access to the system to steal, modify, or delete sensitive data if perimeter controls are bypassed. These issues occurred because management did not [redacted]. Also, the Postal Service prioritizes the identification and remediation of vulnerabilities ranked critical and high over medium, low, and informational. However, [redacted], increases the risk of unauthorized access to the application. In addition, [redacted].
Recommendations
We recommended management develop guidance for performing [redacted] application; and [redacted].