Government employees produce buggiest software

Chris Wysopal of Veracode is to give a talk at the Black Hat Europe security conference in Amsterdam later this week, where he will reveal his company's findings that software produced by the U.S. government is much more likely to be vulnerable to security attacks than those created in the private sector, reports Forbes.

Wysopal is security researcher and chief technology officer of Veracode, which is a bug-hunting firm. Wysopal and his company analyzed 9,910 software applications during the second half of 2010 and 2011, using a process that automatically scanned them for errors that hackers could use to compromise a website or PC.

According to their findings, a full 80 percent of applications from both the private and public sectors failed Veracode's security criteria. However, the government software definitely performed worse: Veracode found that only 16 percent of government web applications met the standards of the Open Web Application Security Project (OWASP), compared to 24 percent of finance industry software and 28 percent of commercial software. When evaluating offline applications using criteria from SANS, a security-focused education group, the study found 18 percent of government applications passed, compared to 28 percent in the finance industry and 34 percent for commercial software.

Digging deeper into specific vulnerabilities of web applications, Veracode attempted SQL injections, and found that 40 percent of government web apps were vulnerable to this form of attack, compared to 29 percent in the finance industry and 30 percent in the commercial software industry. Cross-site scripting, where the attacker injects his own code into a website, worked on 75% of government applications, compared to 67 percent in the finance industry and 55 percent of commercial software.

"The government acts like security is the problem of the commercial sector and they're going to regulate everyone," Wysopal said. "But if you look at this, private industry is definitely ahead of government."

According to Wysopal, the problem comes down to an oversight in the regulations for government software, which are set by the National Institute of Standards and Technology. "We're zeroing in on the application layer, but that's something that's been pretty much ignored in the government space," Wysopal said. "They don't take a risk-based approach. They take a compliance-based approach. If it's not in the regulations, it doesn't get done."

Report a problem with article
Previous Story

NirLauncher 1.11.48

Next Story

First Windows 8 tablet based enterprise app announced

35 Comments

Commenting is disabled on this article.

Ok, sure fine, the article calls out gov't as being ****ty.

But what draws MY attention are the percentage of financial sector business who have ****ty security.

Who are the firms that passed? Can I get a list to ensure I'm not working with businesses that can be taken down by little bobby tables?

bguy_1986 said,
anybody remember the whole episode with government student loans??? What a joke that website was/is!

What? That entire project is amazing. They took all of my student loans from 6 different banks that kept reselling them to various people and consolidated them into a single loan with an even lower interest and monthly payment. Now my total principle is falling twice as fast because I am overpaying with the same monthly amount I use to. Most government projects seem to do poorly at what they are meant to do, but not the student loans.

ILikeTobacco said,

What? That entire project is amazing. They took all of my student loans from 6 different banks that kept reselling them to various people and consolidated them into a single loan with an even lower interest and monthly payment. Now my total principle is falling twice as fast because I am overpaying with the same monthly amount I use to. Most government projects seem to do poorly at what they are meant to do, but not the student loans.


I was talking about the website. They re-did it, and it didn't work for like a month, and then there was a pretty large security issue with it.

just another reason why the government needs to be cut... Huge waiste of tax payer dollars! Government needs to be run more like a business instead of the huge mess we have now with budgets (if we even get one) that don't mean ****...

Haha, black hats yet they've never seen some of the custom GOTS stuff like 8 ball... They know nothing.

Government contractors seem to produce the worst crap too. Here in Finland there's a handful of companies who seem to get all government contracts for software despite having a track record of producing awful ****, year after year.

That said, I wouldn't be surprised if much of it was also due to the software being designed by committees and poor specs. A lot of it is due to pure incompetence though as the systems are not always so advanced that it should take years to make them and cost millions.

LaXu said,
Government contractors seem to produce the worst crap too.

Why would they do better with the money invested ?

You can't build a 1 000 000 house with only 100 000.

I am surprised by this. I wouldn't have expected such a difference between gov't and private sector app security. But I will say our company has invested in security training for all the developers, and in 3rd party security testing contracts. I don't know if the gov't could afford to do that, as large as it is.

Tuishimi said,
I am surprised by this. I wouldn't have expected such a difference between gov't and private sector app security. But I will say our company has invested in security training for all the developers, and in 3rd party security testing contracts. I don't know if the gov't could afford to do that, as large as it is.

Right now the government can't afford toilet paper...

Tuishimi said,
I am surprised by this. I wouldn't have expected such a difference between gov't and private sector app security. But I will say our company has invested in security training for all the developers, and in 3rd party security testing contracts. I don't know if the gov't could afford to do that, as large as it is.

Would be real easy for the government to afford it, but they've turned into the largest employer of the lazy and stupid people. ****-can them and a bunch of other government programs that aren't doing any good (like the DOE) and we'll be looking better...

Tuishimi said,
I am surprised by this. I wouldn't have expected such a difference between gov't and private sector app security. But I will say our company has invested in security training for all the developers, and in 3rd party security testing contracts. I don't know if the gov't could afford to do that, as large as it is.

Yes it could.

But then people would complain it cost too much.

Gouv employees are let on their own.

I've worked for both private sector en gouv (around 800-1000 employees). And let me tell this. In the private sector (big companies) you get training and you get people in charge of security and db schema. In the gouv sector you are on your own.

When you ask a 30 000$ a year technician to do the db schema, analysis, programming, security, support, documentation, etc ... well you get what you paid for. Ie bad software.

I went to the local DFC office and saw a PC running Windows 2000 with a WU prompt on the screen. Something tells me they haven't updated it since their "IT dept" installed it. I can't even imagine the other crap on it, but if I had to guess, I'm willing to bet there's an old, unpatched Adobe Reader and 38493843 Java "updates".

This is also a quite common issue at private companies. Speaking of Windows 2000, I recently had a client (medium business) who hasn't installed one single security update and was using this computer for banking, finances, etc. You'd be amazed how much crap I found on that network.

Alladaskill17 said,
Shocker... the not so highly paying (i.e. non commercial) coding isn't the most well written software.
Wrong. I'm personally aware of many government IT contractors, including developers, who are very overpaid. I can't speak to the quality of any code being generated but I absolutely know they are overpaid for the task at hand. Inefficiency is the cornerstone of government work.

Tim Dawg said,
Wrong. I'm personally aware of many government IT contractors, including developers, who are very overpaid. I can't speak to the quality of any code being generated but I absolutely know they are overpaid for the task at hand. Inefficiency is the cornerstone of government work.

+1, Anyone that thinks the public sector is underpaid relative to their private sector counterparts is a bit out of the loop... LOL

There is a saying in software development. Cheap, fast, quality. You can only choose 2. Apparently this doesn't apply to the government's software projects. They are slow to get anything done, it costs a fortune, and turns out like crap.

ILikeTobacco said,
There is a saying in software development. Cheap, fast, quality. You can only choose 2. Apparently this doesn't apply to the government's software projects. They are slow to get anything done, it costs a fortune, and turns out like crap.

So you can actually get Cheap, quality software? Show me where please..

recursive said,

So you can actually get Cheap, quality software? Show me where please..


If you're willing to wait a long time for it. Look at some of the free projects out there. This is a rather common and simple understanding in business...

recursive said,

So you can actually get Cheap, quality software? Show me where please..

Apache Webserver. Free and very good quality. It has taken years of development to make that happen though. As M_Lyons10 said, open source projects are free and can be very good, but because they are made by people not usually paid to make them, it is done during their spare time making the project take much much longer.

Just going to re-post this...not the employees fault necessarily.

"According to Wysopal, the problem comes down to an oversight in the regulations for government software, which are set by the National Institute of Standards and Technology. "We're zeroing in on the application layer, but that's something that's been pretty much ignored in the government space," Wysopal said. "They don't take a risk-based approach. They take a compliance-based approach. If it's not in the regulations, it doesn't get done."

thornz0 said,
Just going to re-post this...not the employees fault necessarily.

"According to Wysopal, the problem comes down to an oversight in the regulations for government software, which are set by the National Institute of Standards and Technology. "We're zeroing in on the application layer, but that's something that's been pretty much ignored in the government space," Wysopal said. "They don't take a risk-based approach. They take a compliance-based approach. If it's not in the regulations, it doesn't get done."

Thats very much accurate and it applies to almost everything the government does. Employees don't want to get in trouble for doing the wrong thing, so to protect themselves they follow the regulations. If people are upset about why the government does something a certain way you have only to look at the people that write the regulations that guide everything we do and those regs are often written by the Congress.

Not surprising at all... Government workers are some of the dumbest, laziest people I've ever had the misfortune of working with.

BTW, BAN THAT SPAMMER!!!

Hmmmm......I wonder if he took into account that a lot of government apps are written by non-government peope?

NPGMBR said,
Hmmmm......I wonder if he took into account that a lot of government apps are written by non-government peope?

And the ones that are have to be developed following very strict guidelines put in place by the government no doubt... Likely way behind the times and restrictive to the point of forcing insecurity...

NPGMBR said,
Hmmmm......I wonder if he took into account that a lot of government apps are written by non-government peope?

my company is contracted w/ the government, so our programmer is a non-government person. while we do have guidelines to follow, security is paramount. our programmer is also certified in 'secure programming', so to speak. also, our customer constantly scans our sites for vulnerabilities and we are forced to fix any w/i a certain timeframe. as an added precaution, we have our own penetration testing software we use against our own applications and websites.

M_Lyons10 said,

And the ones that are have to be developed following very strict guidelines put in place by the government no doubt... Likely way behind the times and restrictive to the point of forcing insecurity...

Of course there are guidelines, however, I can't say if they are very strict or anything like that. However, what I do know is that all the work to develop apps for my bureau is done by organizations that we hire to do the work because a lot of government IT positions outside of network administration have been eliminated.

Not surprised every Government web application I've been forced to use or force to support a user in using was an absolute nightmare.

MrHumpty said,
Not surprised every Government web application I've been forced to use or force to support a user in using was an absolute nightmare.

Yeah, the ones I've used crash under normal use. You don't even need to be trying to do anything...