Results 1 to 1 of 1

Thread: Government employees produce buggiest software

  1. #1
    Advanced User Jewel Thief Champion, Super Mario Flash Champion, Quick Shoot Champion, Mafia Driver Champion ParamouR's Avatar
    Join Date
    01.09.10
    Location
    Third Rome
    P2P Client
    µ
    Posts
    762
    Activity Longevity
    3/20 11/20
    Today Posts
    0/5 ssssss762

    Government employees produce buggiest software


    Government employees produce buggiest software


    Chris Wysopal of Veracode is to give a talk at the Black Hat Europe security conference in Amsterdam later this week, where he will reveal his company's findings that software produced by the U.S. government is much more likely to be vulnerable to security attacks than those created in the private sector, reports Forbes.

    Wysopal is security researcher and chief technology officer of Veracode, which is a bug-hunting firm. Wysopal and his company analyzed 9,910 software applications during the second half of 2010 and 2011, using a process that automatically scanned them for errors that hackers could use to compromise a website or PC.

    According to their findings, a full 80 percent of applications from both the private and public sectors failed Veracode's security criteria. However, the government software definitely performed worse: Veracode found that only 16 percent of government web applications met the standards of the Open Web Application Security Project (OWASP), compared to 24 percent of finance industry software and 28 percent of commercial software. When evaluating offline applications using criteria from SANS, a security-focused education group, the study found 18 percent of government applications passed, compared to 28 percent in the finance industry and 34 percent for commercial software.

    Digging deeper into specific vulnerabilities of web applications, Veracode attempted SQL injections, and found that 40 percent of government web apps were vulnerable to this form of attack, compared to 29 percent in the finance industry and 30 percent in the commercial software industry. Cross-site scripting, where the attacker injects his own code into a website, worked on 75% of government applications, compared to 67 percent in the finance industry and 55 percent of commercial software.
    "The government acts like security is the problem of the commercial sector and they're going to regulate everyone," Wysopal said. "But if you look at this, private industry is definitely ahead of government."

    According to Wysopal, the problem comes down to an oversight in the regulations for government software, which are set by the National Institute of Standards and Technology. "We're zeroing in on the application layer, but that's something that's been pretty much ignored in the government space," Wysopal said. "They don't take a risk-based approach. They take a compliance-based approach. If it's not in the regulations, it doesn't get done."
    Last edited by ParamouR; 15.03.12 at 19:43.
    Show respect to all people, but grovel to none​


    Reply With QuoteReply With Quote
    Thanks

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121