Chris Wysopal of Veracode is to give a talk at the Black Hat Europe security conference in Amsterdam later this week, where he will reveal his company's findings that software produced by the U.S. government is much more likely to be vulnerable to security attacks than those created in the private sector, reports Forbes
Wysopal is security researcher and chief technology officer of Veracode, which is a bug-hunting firm. Wysopal and his company analyzed 9,910 software applications during the second half of 2010 and 2011, using a process that automatically scanned them for errors that hackers could use to compromise a website or PC.
According to their findings, a full 80 percent of applications from both the private and public sectors failed Veracode's security criteria. However, the government software definitely performed worse: Veracode found that only 16 percent of government web applications met the standards of the Open Web Application Security Project (OWASP), compared to 24 percent of finance industry software and 28 percent of commercial software. When evaluating offline applications using criteria from SANS, a security-focused education group, the study found 18 percent of government applications passed, compared to 28 percent in the finance industry and 34 percent for commercial software.
Digging deeper into specific vulnerabilities of web applications, Veracode attempted SQL injections, and found that 40 percent of government web apps were vulnerable to this form of attack, compared to 29 percent in the finance industry and 30 percent in the commercial software industry. Cross-site scripting, where the attacker injects his own code into a website, worked on 75% of government applications, compared to 67 percent in the finance industry and 55 percent of commercial software.
"The government acts like security is the problem of the commercial sector and they're going to regulate everyone," Wysopal said. "But if you look at this, private industry is definitely ahead of government."
According to Wysopal, the problem comes down to an oversight in the regulations for government software, which are set by the National Institute of Standards and Technology. "We're zeroing in on the application layer, but that's something that's been pretty much ignored in the government space," Wysopal said. "They don't take a risk-based approach. They take a compliance-based approach. If it's not in the regulations, it doesn't get done."