Who do you think produces the buggiest computer code? Some would say Microsoft, others would say Apple but the winner of this prestigious award actually goes to the state:
Humans aren’t generally very good at writing secure code. But it seems they’re even worse at it when they’re an employee of a government bureaucracy or hired as unaccountable federal contractors.
In a talk at the Black Hat Europe security conference in Amsterdam later this week, security researcher and chief technology officer of bug-hunting firm Veracode Chris Wysopal plans to give a talk breaking down the company’s analysis of 9,910 software applications over the second half of 2010 and 2011, automatically scanning them for errors that a hacker can be use to compromise a website or a user’s PC. And one result of that analysis is that government software developers are allowing significantly more hackable security flaws to find their way into their code than their private industry counterparts.
According to Veracode’s analysis across industry and government, fully eight out of ten apps failed to fully live up to the company’s security criteria. But breaking down the results between U.S. government and private sector software, the government programs, 80% of which were built for federal agencies rather than state or local, came out worse. Measuring its collection of apps against the standards of the Open Web Application Security Project or OWASP, Veracode found that only 16% of government web applications were secure, compared with 24% of finance industry software and 28% of commercial software. And using criteria of the security-focused education group SANS to gauge offline applications, the study found that 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software.
Anybody will tell you that proper computer security is hard, but apparently it’s even harder when you’re an employee of a huge unaccountable entity that likes to throw money like it’s confetti at a wedding. It’s a good thing the state hasn’t claimed a monopoly on writing software yet, we’d beg for a return of Windows ME.