Forgot your password?
typodupeerror
Government Bug Programming Security Your Rights Online

Study Confirms the Government Produces the Buggiest Software 135

Posted by samzenpus
from the too-many-cooks dept.
Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."
This discussion has been archived. No new comments can be posted.

Study Confirms the Government Produces the Buggiest Software

Comments Filter:
  • And you thought it was Microsoft...

    • Re:Hah! See? (Score:5, Insightful)

      by Jeremiah Cornelius (137) on Wednesday March 14, 2012 @02:01PM (#39355285) Homepage Journal

      Private contactors, low-bidding, on the public's dime.

      "We'll be here forever, boys. No need to get it right the first time."

      • by Anonymous Coward

        Bidding?!

        There ain't no business like no-bidness.

        -- Ethanol-fueled

      • by Pope (17780)

        "It isn't government work if you don't do it twice!" Jerry Gergich

      • by Anonymous Coward

        Uhh.. did you even read the summary? The private sector was only had an additional 8% that was secure. That's so low of a difference it may even be within the margin of error.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      On the contrary. Profit motive is exactly what caused this problem.
      Contractors, motivated to get the greatest revenue for the least cost (time, effort, materials, whatever), created crap software. Since they don't suffer from producing crap software, they were simply working in their own (narrow view) best interest.

      Perhaps if you were to hire employees that had motive to ensure the long term success of of a project (recognition, keeping your job) you'd get better results..

      • by MightyYar (622222)

        So draft the contract such that the government (or some agent of the government... another bidder?) gets to report bugs and the service is not complete until the bugs are gone. Sure the bids will cost more, but it seems like an easy way to solve this particular problem.

        • by Anonymous Coward

          Few small challenges. 1st, you put that in the RFP, not just the proposal. Second, FAR's require a fixed period of performance for all contracts. Third, you sure as fuck don't want this on a service contract, or you'll get nothing but a level of effort from the contractor. Fifth, define "bugs". Sixth, do you really want to continue to pay $slimy_contractor to fix bugs that don't cause a real problem. Seventh, that still doesn't in any way give you any hope of actually getting a usable product. Your response

          • by MightyYar (622222)

            You completely misunderstand. They would certainly not get paid to fix bugs, and in fact the full payout would be withheld until they were fixed.

            Do we really need to define bugs in a Slashdot forum? I suspect it would take pages of legalese and probably involve an arbitration mechanism.

            • by PGGreens (1699764)
              So how would you determine when the program is "bug free" or even "bug free enough"? I'm not sure a contractor would accept a flat payment to be received at the tail end of an indefinite span of bug fixes. But then again, maybe they would. Somebody tell me.
              • by MightyYar (622222)

                I'm not sure how you would define "bug free", but I imagine some language could be constructed that would add only 3 or 4 pounds to the final draft. :) My inclination would be to hire a 3rd party on another contract that gets paid per found bug, with some kind of arbitration when disagreements arise.

        • by Rich0 (548339)

          So draft the contract such that the government (or some agent of the government... another bidder?) gets to report bugs and the service is not complete until the bugs are gone.

          Yeah, but would the guy writing the contract want to do that to the nice guy who takes 12 senators per month out to a really nice lunch, and makes sure they're always stocked with the latest gadgets/etc?

      • Re: (Score:3, Insightful)

        by Vaphell (1489021)

        when both sides of the deal look after their interests, results tend to be a good bang for the buck spent. Government has no vested interest in getting a good deal and because of that it pretty much asks for being milked dry. On top of that the waste more often than not is rewarded with even more money in next year's budget.

        • by rmstar (114746)

          Government has no vested interest in getting a good deal and because of that it pretty much asks for being milked dry.

          Why is that? Just because you say so? What is that "government" you are talking about?

          Government officials have a natural tendency, like anybody else, of trying to do a job they can be proud of. There are many reasons why they don't manage (just look at the Jefferson County disaster [rollingstone.com]). But lack of interest in good results by officials is currently not the most important one.

        • by skids (119237)

          Actually initial attitudes come into play here as well.

          If there's a bagel shop that is owned by a guy who only catches 15% of shoplifters, and one which is owned by a guy who catches 25% of shoplifters, but the second guy has a reputation for getting his bagels lifted, shoplifters will go to the second guys shop preferentially, and he'll have more bagels shoplifted despite his vigilance.

          As long as there is a general attitude that government == "cash cow" among the private contracting sector, whether or not

      • by El Torico (732160) on Wednesday March 14, 2012 @03:16PM (#39356415)
        The profit motive is part of it, but only a part. Usually, the customer has undefined or poorly defined requirements and grossly incompetent management. I was once part of a program in which the government representative refused to provide the security standards and criteria that the system would be judged upon. We had conflicting standards to reconcile and every request for guidance or additional information was ignored.
        That was only part of the problem. The network design was provided by the government and it was a complete mess; we couldn't change it either.
    • by gVibe (997166)
      I second that.
    • Close - the government contractors certainly derive plenty of profit from the system. The problem is that they're 'government contractrors' - it's not a free market. With the market distortions in place that the governments set up, the profit motive in insufficient to produce quality. You need a competitive market for that.

  • Contractors (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 14, 2012 @01:48PM (#39355083)

    Unfortunately, all the outsourcing going on in the Government (because it's easier to get money for a contract than to hire a developer on a permanent basis) is what's really killing the code here. Most outsourcing firms have a "throw the code over the wall" attitude, and spend more time deflecting blame for bugs than trying to fix them. I can't think of a business where there's less accountability than Government contracting, except possibly foreclosure management....

    • Re:Contractors (Score:5, Informative)

      by BenEnglishAtHome (449670) on Wednesday March 14, 2012 @02:42PM (#39355901)

      I just retired from a long IT career with a fed TLA.

      In all that time, there were two projects that stood out in my mind the most.

      For the first one, a division needed software to automate their primary tasks. If such software could be implemented, it would essentially be where 20,000 people a day spent all their time and brought in billions of dollars. The solution they decided on was to survey the end users who were tired of doing everything on paper, find the ones who were the acknowledged computer geeks, then let them design and write the program. They actually turned field civil law enforcement officers into SAs and analysts and coders and let them build what they needed. It took years but when it was done, it was a thing of functional beauty. Actually, it was ugly as hell but it so perfectly met the needs of the field officers that I know of several who actually delayed their retirements so they could spend more time doing a job that was fun again because all the drudgery had been automated away.

      Most. Successful. Project. Ever.

      The other one I remember was the same sort of thing, a program that some 70,000 would spend all their time in. It was buggy from the start. The people who had to use it hated it. Every upgrade broke reports from the previous version. It was, obviously, done by contractors. At one point, development halted for almost 18 months because someone dropped a dime on the contract developer and their entire staff of Indian programmers with expired visas had to pack up and go back to Asia. The contractor folded up shop and getting another to step in, untangle the mess, and start moving forward was a royal pain.

      My point?

      Sometimes, coder skill is meaningless. If you have developers and architects and all those other job titles involved in software development who actually work for the government because, at least in part, they are proud to serve their country...then you get better software.

      Government software should be created by government employees, not contractors.

      Now I'll go back to my place in the 1950s, where I'm sure many of you will say I belong.

      • by Anonymous Coward

        i think it's unfair to judge all contractors as such. i've seen government employees sit on their ass because it's damn near impossible to fire them and they can't be matrixed or anything, so they just coast the last few years til retirement. i've seen contractors work their ass off because they have to basically re-bid every year to keep their job and there is always competition from another contractor that wants that job. Contractors have to keep proving themselves. Government doesn't. The real problem ar

        • 100% no doubt. I've said time and time again I can fix a lot of state IT if I could do two things:
          1. Fire people like it was the private sector
          2. Pay competitive wages for new hires

          What a lot of people don't realize about the gov, especially in IT, is if you take any 5 gov IT employees 2 are underpaid worthless cretins that should lose their job but the manager doesn't have 40 hours a week just to document their deficiencies because he/she is actually working. 2 are making what they're worth but are un
          • Re:Contractors (Score:4, Informative)

            by geekoid (135745) <dadinportland@ya[ ].com ['hoo' in gap]> on Wednesday March 14, 2012 @05:01PM (#39357695) Homepage Journal

            1. See, that's the PROBLEM with the private sector. One you can just fire people, you end up with an entrenched attitude of 'Do what I say or else'. Which is fine for a genius like you, but mostly you end up with a high turn over rate.

            Making it difficult mean people can speak up. They can tell a bureau chief why they are wrong and not get fired. THIS is what bring quality, depth of knowledge, and honest opinions and view out into the open.

            Contrary to what a lot of people thing, it isn't impossible to fire someone. It make take time, becasue they treat their employees like that are human beings

            2. the wages aren't horrible. I could make 30% more in the private sector, but my benis are solid, and I like having a life.

            The rest of your post is just ignorant. I've seen peopel get fired. It went like this

            1) Bad review with detailed list of whats wrong* I've seen people change the work attitude at this point and become better employees.

            2) Verbal warning after 3 months. *again,. seen poeple change at this point

            3) written warning - never seen anyone recover from here

            4) out the door. 3-6 months, and this includes union.

            What really helps is the 9 months grace period. Frankly, if you are lazy, you won't make it 9 months without the become obvious.

            • Most of the people in IT in government have been around far longer then 9 months. While I move around on average every 3 years or so to keep a skill set current and move onto to other projects or opportunities, many, if not most, of gov IT has been around for years and years in the same place.

              Are there managers that do that BS firing because they don't like people? Yes. Are they the minority? Yes.

              Does the private sector have places taht take advantage of IT work force? Absolutely. Does the private sec
      • by f97tosc (578893)
        I think in general it is very difficult to have two groups of separate people, one who understands the problems, and another who understands how to write code.

        IN theory you let the users write down a list of specifications, but it rarely works into problems. You always run into trade-offs and conflicts involving functionality vs complexity for example, only somebody who understands both the software and the problem situation can resolve this well.

        I agree with you that the best solution is to have the
      • by Tridus (79566)

        You're absolutely right. I work as a programmer for the government and I see the same thing. The stuff that's built in house by any department (not just ours, but I think we do good work) tends to be better. We don't get paid extra to fix bugs - we just get unhappy users and lousy performance reviews for having lots of bugs. As part of the department we actually learn the business and can thus do a better job.

        The stuff made by contractors is made to specification, if you're lucky. The problem is that the sp

  • I can attest to this (Score:5, Interesting)

    by Reverand Dave (1959652) on Wednesday March 14, 2012 @01:49PM (#39355107)
    I work for a government agency and I can swear this to be the absolute truth. I believe the reason to be a lot of politicking in management and not enough actual IT experience. No one wants to step on toes or else it might come back to bite you later when you need funds for a project so when user X asks for feature Y in software Z and there is no way it can be implemented without hacking together a mess of SQL query strings that may or may not work, well then you do it, because if you don't do it. User X may at one point be on a committee that can divert funds from your server or software upgrade budget.
    • by Carewolf (581105)

      So you can attest that government code quality is _SLIGHTLY_ more buggy than commercial code?? Notice the percentages, the wast majority of commercial code is complete crap too, the percentage is just _slightly_ higher for the government.

      Your story is the same story everywhere. Nothing special for the government only more common.

      • by Baloroth (2370816)

        So you can attest that government code quality is _SLIGHTLY_ more buggy than commercial code?? Notice the percentages, the wast majority of commercial code is complete crap too, the percentage is just _slightly_ higher for the government.

        Financial web applications are 50% more likely than government one to be secure, and commercial software is almost double the government stuff. That isn't _slightly_ that is significantly. Yes, the vast majority of code everywhere sucks, the government just sucks considerably (not slightly) worse than regular business software.

        • by Carewolf (581105)

          That is a valid perspective. I just considered anything below 90% secure (and this is not real security checks, just a check for really common mistakes) as so bad it doesn't really matter.

        • by scot4875 (542869)

          Financial web applications are 50% more likely than government one to be secure

          50% more than not very likely is still only slightly more likely.

          --Jeremy

      • I don't know where you get the slightly part from. I think that the reason commercial code is crap is fairly similar, but there are far fewer excuses in an enterprise where the point is to make money in the end. We unfortunately don't have the pressure.
    • by geekoid (135745) <dadinportland@ya[ ].com ['hoo' in gap]> on Wednesday March 14, 2012 @04:51PM (#39357597) Homepage Journal

      Did you read the report? no, of course you didn't. Unless you are explaining the code developed by the private sector for the government is marginal more buggy? And the the study is worth a damn.

      I work for a government agency. You're whole description sound a hell of a lot more accurate to my experience in the private sector then the public sector.

      Anecdotal experiences: Two Tales...

      Private sector:
      One time I got called on the carpet because I didn't list the names in my email address list in the 'appropriate order'. Putting a middle management person before the VP.. what nerve I have. I have many takes of correcting someone and being labels trouble maker. The financial sector sucks eggs.

      Public sector:
      Told a Bureaus head he was wrong, listed why. He Thanks me for speaking up and saving them from an expensive mistake.

    • by PCM2 (4486)

      I believe the reason to be a lot of politicking in management and not enough actual IT experience.

      I think one reason for this might be high barrier to entry. A lot of government jobs might require a security clearance (even a low one). That rules out some qualified people. And then, there's a little bit of the attitude that they want you to have "experience in the public sector." There's a similar attitude at many nonprofits, where they want you to have worked at/with other nonprofits before. There's nothing really wrong with this per se, but the effect is that it's public sector experience first, IT ex

  • by Anonymous Coward

    This program has performed an illegal operation and must be shut down.

    If the problem persists, contact the program vendor.

  • Yes. (Score:5, Interesting)

    by Cantide (743407) on Wednesday March 14, 2012 @01:51PM (#39355137)
    I was a software tester for the DoD and can confirm the stupidity here. (I can't really talk about the exact program but I can tell you with 100% certainty that it was mission critical.) We were contracted to run massive amounts of automated testing on the latest build of the software I was working on. Upon finding bugs, we needed to do regression testing... to decide if we would fix them in the latest build, because if they were present in previous versions we were under no obligation to do so unless specifically paid to do so.
  • by Iamthecheese (1264298) on Wednesday March 14, 2012 @01:51PM (#39355139)

    There are industry-common metrics for good code.

    With its focus on long-term outcomes, big budgets, and relatively stable personnel it seems to me non-outsourced government work would tend to produce better code.

    Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

    The problem with these specific problems isn't with government but with improper requirements and possibly graft. These are much easier to fix on a local level than bad code in my not so humble opinion.

    • by mykepredko (40154) on Wednesday March 14, 2012 @02:09PM (#39355409) Homepage

      Actually, the Government had just about nothing to do with the Space Shuttle code.

      The group that did it was founded by IBM and has been passed around to a number of other vendors (I believe they have ended up at LockMart).

      I'm not sure if this supports or discourages your point.

      myke

    • by ColdWetDog (752185) on Wednesday March 14, 2012 @02:16PM (#39355507) Homepage

      Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

      That's it! Get rid of those nasty high level languages and get back to the bare metal with assembly [wikipedia.org]. None of this new fangled junky stuff.

      Kids these days. Never learn anything from their betters.

    • by Tridus (79566)

      Contractors don't care about that stuff. They're there to build something as quickly as possible that meets the minimum spec so they get paid. Bugs just mean future work.

      • That's not true. There are poor developers in contracting, but most of the time the failure is within the communication between the people who will be the end-users and the people who will be implementing products. Developers can't anticipate every use of a software.

    • Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

      And probably the most expensive software per line of code ever written (that delivered, of course).

      Most software shouldn't be that good (at least until we know how to prove software automatically). Better to cure malaria than make perfect timeclock software for the park police.

  • Laugh (Score:3, Funny)

    by koan (80826) on Wednesday March 14, 2012 @01:52PM (#39355163)

    Obvious loop hole...
    "and are even paid extra to fix their bugs after creating them."

    • by mcavic (2007672)

      and are even paid extra to fix their bugs after creating them

      There's no getting around that. Programmers have to eat too.

      • by ae1294 (1547521)

        There's no getting around that. Programmers have to eat too.

        PERL programmers don't...

  • The rules for government aquisition don't help. As there isn't any usefull formal metric for software quality, it normaly must settle with the cheapest competitor whoever it is, however it works.

    • by mini me (132455)

      I don't know about the US government, but I see things with my local government like: You need a degree in computer science to build a webpage. CS grads are generally not skilled in producing such works, so you end up either picking from the limited group of people who are, or more likely you choose someone who is not a good fit for the job and end up with poor results.

      • by geekoid (135745)

        That speaks volumes to your CS grads....

        • That speaks volumes to your CS grads....

          You mean how they aren't all expert web designers (distinct from web developers, i.e. programmers)? I have a computer science degree, and web design is far from a strength for me. I can create a web page that someone gives me a drawing for, but creating that drawing isn't something that all, or even most, computer science graduates are good at.

        • by omnichad (1198475)

          Have you ever seen a mostly-technical person try to design things? Obviously, if they have a clue about UI design they can at least follow web conventions for structure, but....they don't know what isn't ugly:
          Example: Illinois Department of Financial & Professional Regulation [idfpr.com]

    • by Anonymous Coward

      There is a useful formal metric, maintenance cost. The lowest price including both development and maintenance for the entire anticipated lifespan of the product should be used, not just the development rate. Unfortunantly, that's too rational, odds are the not yet approved metric for software quality will be something like 'whatever uses more RAM.'

    • by geekoid (135745)

      No it isn't. Please stop spreading your crap on everyone's toast.

    • by neonv (803374)

      Being in the defense industry, it matters how the software works. It has to perform well, be easy to use, and THEN costs are considered. Producing bad software also means no future contracts. The government doesn't throw contracts to anyone who says they can make something cheaply, they have to show competence, produce a cost schedule, and a detailed architecture plan. The government has lots of standards for software, depending on the area the software covers. The software industry also has standards

  • by SwashbucklingCowboy (727629) on Wednesday March 14, 2012 @01:55PM (#39355193)

    Reminds me of this Dilbert comic [dilbert.com]

  • Contractors (Score:4, Insightful)

    by betterunixthanunix (980855) on Wednesday March 14, 2012 @01:55PM (#39355201)
    My first though was, "Probably the work of contractors." Then I RTFA'd and had it confirmed:

    That institutional insecurity, says Alan Paller, researcher director of the SANS Institute, is the result of a private contractor system that actually rewards insecure coding. âoeThe consequences for private sector software writers who write insecure code in commercial software is high costs for patching along with substantial embarrassment for their companies and job insecurity for them,â he says. âoeIn contrast, the consequences for private sector software writers who write insecure code for the government is contract add-ons to fix the problem, and more revenue for their companies and job security for them.â

    • by Bogtha (906264)

      Yup. Government also produces the least buggy software. I believe NASA holds the record for fewest bugs per line of code.

  • by D4C5CE (578304) on Wednesday March 14, 2012 @01:56PM (#39355207)

    Die Expertise, ein gesamtes Programm zu programmieren, ist nicht vorhanden.

    Spokesman of the German Home Office (BMI, in charge of the "Federal Trojan Horse" exposed by the CCC [h-online.com]) at the Federal Press Conference 2011-10-12 [bundesregierung.de].

  • Not susprised at all (Score:3, Informative)

    by Anonymous Coward on Wednesday March 14, 2012 @01:58PM (#39355245)

    My first job was doing software for the federal government (mainly tools for tracking government property and assets and the nightmare of paperwork associated with them). It was _horrible_. It was a well paying job, great benefits, very relaxed (but political) environment .. but the atrocities committed to the art of software development combined with the painfully slow pace were unbearable.

    Everything was always caught up in red tape. Requirements were always wrong, outdated, or both. In a lot of cases there was no clear time frame or end plan for software .. that shit would get figured out when/if the project was finished. And projects were often arbitrarily cancelled. Stuff that was finished and deployed often went unused for various reasons.

    There was also an anti-change culture. Anything new was met with extreme resistance. Also there was this feeling that anything that improved our efficiency would decrease our staff. It wasn't entirely unfounded. Stuff was scheduled to take a certain amount of time. If it took less time, it wasn't like there was more work to fill in the holes.

    And the code. Wow. I think it's part because the federal government has a lot of co-op/student programs .. and part because most programmers that care about software quality got the hell out of there (like I did) .. but the code that came out of my department was.. terrifying. Thankfully these were internal apps. Database queries involving multiple tables can be complicated.. but it's easy to put the same data in multiple tables! So just create multiple tables with the various data sets you need! Suggest a database view (at least half way to an ok solution) .. the DBA (yes, they had a DBA, a professional database guy, and he allowed this!) won't allow it (he won't reject it, he just offers to "look into it", which if you don't know is office politics for "nope!").

    Ok I'm gonna stop and let my blood pressure come back down...

  • by rudy_wayne (414635) on Wednesday March 14, 2012 @02:00PM (#39355275)

    By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

    OK. So government contractor produce the shittiest code, due to a lack of accountability. However, the 34% rating for commercial software is absolutely horrible and inexcusable. Commercial software is almost twice as good, but twice as good shit is still shit.

    • It's likely that the percentage of outsourced projects tracks the prevalence of security problems. Certainly, the government has a very high level of outsourced vs in-house development. I think that financial institutions also tend to largely outsource (especially customer-facing) development.

  • by Spy Handler (822350) on Wednesday March 14, 2012 @02:04PM (#39355331) Homepage Journal
    In some other countries, government employees are smart and work hard. In South Korea for instance the gov't software all run on IE6 activeX plugins and are rock-solid.
  • Wow, I just found out that I'm better at something than the government.

  • by Liquidrage (640463) on Wednesday March 14, 2012 @02:10PM (#39355423)
    1. Much of government is custom software. In the private world less so. Not that there aren't exceptions in either case, but my bank didn't write their own custom software for finances. In government it's almost always build over buy. It's much harder for the government to change policies to fit software when much of what they are writing software for is dictated by legislation.

    2. Much of government software is written last minute to meet the demands of the people we've elected that in turn force government agencies to create something from nothing, usually without proper funding and usually with unrealistic deadlines.

    3. Much of government software is written by inexperienced people. Contractors and government employees are rehashed from project to project even as technology changes.

    I've worked public and private for 15 years now in tech and have seen it all. DoD, Federal, and State projects from both sides of the contract/public servant side. A lot of government software is written in locations with smaller workforces leading to hiring people that are just the best you can get, now what you should get. The deadlines for government projects are almost always unrealistic. The powers that be, and I mean the legislature at the state level and agency heads in Federal, and the commanders/Washington in DoD work, don't feel like there's a ROI on almost any project, it's just stuff they "have" to do, so they don't take into account doing it right. They shoestring a budget, or don't even have a budget, and use whatever resources they can find to get things done.

    Most projects aren't even contracted out completely. Many are sure. But I'd say more are a mixture of public workforce and contract or just done but the public servants at hand already. And yes, the contracted out ones are usually the worse IMO because the reason they got the contract is they "knew" the right person and it's a milking of taxpayer money. I've taken over for two projects completely outsourced to very large multi-national contracting firms whose names everyone would recognize. Both were over 70 million contracts. And both were complete crap. The systems were disgusting. We didn't even get printed binders for taking over the maintenance on either. We got some word docs in a network folder, the documents created "after" development was completed. A hodgepodge of technologies and some really bad code. For 70+ million you'd think you'd at least get a Tech Writer on the project and some bound color copies from Kinkos. Nope.
  • Remember, if the government were to hire it's own developers to make government systems that would be communism and if those developers were allowed to unionize and put their foot down to halt a known bad release until it was correct and secure, that would be ultra-communism
  • by Anonymous Coward

    Other contributors have mentioned good reasons for government code being less secure. I'm going to give another interpretation: sample bias.

    How do you get a representative sample of industry code or government code? It's just not possible.

  • Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them.

    Ah yes, blame the contractors for everything. Ignore the fact that not that long ago, one of the highest ranking federal IT officers came out and basically confessed that most federal IT projects fail because most of the federal government doesn't even remotely handle requirements gathering properly. That's a n

    • by Liquidrage (640463) on Wednesday March 14, 2012 @02:28PM (#39355717)
      Of course now the government is switching to agile/scrum (as opposed to the prior methodology of OMFGRAD) en masse so that requirements are gathered on the fly/after the fact and collected on sticky notes and discussed for 10 minutes a day. Because hell, if you can't get good requirements might as well have a methodology that minimizes the need for them.

      Of course, considering almost all government software is dictated by business logic and legislation and often rely on existing legacy systems that can't be easily changed, I don't think it's exactly wise. I gag every time the cafe-latte sipping PM's gush about switching over toe scrum on another project so I can spend twice as long building software because my requirements are even worse now. But hey, it has a catchy name, it must be good for government work. We're all so grown up now.

      It's not like a can get a high level requirement that I need to capture user information and go build a user screen in the government world. Every freaking little detail is going to be exacted upon on a user screen with rules and laws (and legacy systems) dictating what I can and can't do what is and isn't there and how it interacts with other systems. It's not that agile/scrum is always bad. It's just a square peg in a round hole of current government in most cases.
  • by MindStalker (22827) <mindstalker.gmail@com> on Wednesday March 14, 2012 @02:25PM (#39355647) Journal

    Government web applications are generally intended to Provide public information. 16% secure
    Finance industry web applications are intended to transmit money the fact. 24% secure. The fact that this is less than twice as secure as web application that are generally informational only is frightening as heck.

    Commercial applications are a mix of the two and come out to 28%. Strange.

  • by retech (1228598) on Wednesday March 14, 2012 @02:48PM (#39355989)
    At least not 100%. You can blame the many headed beast they have to answer to. With every dept. head feeling they have to justify their existence by exerting power in the form of conflicting demands. Also add to this rule sets for compliance that are decentralized and NOT overseen by people who know how to program (generally) but instead know how to be gov't administrators. So compliance will often mean having internal conflicts as to what an application can do.

    This is really about government controls run a muck.
  • This is partially due to the Cost + Fixed Fee model which encourages companies to reinvent the wheel instead of developing and using stable, tested code bases. Spending more money grows your revenue and your company, being efficient and spending less money limits the growth potential of your company. The second major reason is they are married to outdated development practices like the Waterfall model and generally answering new/potentially better ideas with "No, that's not the way its done."
  • Well, duh. Thanks to the rules (lobbied for by we-all-know-who), most government contracts are cost-plus: the contractor's paid the bid plus any additional costs that come up after the bid. With those terms the best approach is to low-ball the bid to insure you win it, do a shoddy job and then bill any time needed to fix the problems as an additional cost.

    The fix is obvious: eliminate cost-plus. Make the standard terms fixed-cost: the contractor's paid the amount bid to deliver the goods as specified in the

    • by geekoid (135745)

      Many, not most. And for a great many of them it makes sense. Note: cost plus does not equal zero oversight. Just so you know.

      Lets take a 5 year project on a piece of highway.

      Seems pretty straight forward right?
      Did you know the price of rock could double in that time period? or be cut ijn half? rock turns out to be more volatile then one would expect.

      And that's just one component. IO unusually bad year can delay, fuel prices changes and so on.
      Now, I know the media doesn't report this side of it, but somet

  • by SuperDre (982372)
    And to think that 90% of the software created by the government is actually created by commercial companies.. so the study is actually bogus...
  • /me uninstalls SELinux.

  • There are a couple of assumptions here which are actually validated. One is that all government code is outsourced, actually its not.
    The fundamental problem here is that government agencies especially can't tell shit from suger in terms of the quality of their software.
    Industry can't tell them either, I know from experience that Government already spends enormous sums of money on processes which are meant to make software better, guess what? It doesn't work.
    Government agencies (and staff promotions) are me

    • by geekoid (135745)

      " One is that all government code is outsourced, actually its not.
      um, no most of it is. And in my experience, at the end of the day it's more expensive then keeping staff on hand.

      Interesting, Me experience is quite the opposite. Results make the next position you apply for more likely to look at you.
      When you can get shit down,l people know and don't hire you, and eventual you position will be cut.

  • Veracode isn't offering to fix "buggy" code, they're selling "cyber terror" fixes.
  • Conceived by unaccountable committees. No independent cost/benefit analysis, no human factors or usability analysis. No testing prior to rollout. Spotty or no technical support. No GAAP accounting to see if the software saved money or accomplished stated goals. No money back guarantee and many of the developers leave the company every four years.

  • None of those percentages 16-28% sound very good to me.
    The reason the govt is the worst is what others mentioned--too many cooks spoiling the broth.
    The Department of Homeland Security consists of 22 separate Agencies that report to 88 different Congressional committees.That last sentence is a problem statement in my opinion.
    • by geekoid (135745)

      Instead of agreeing because it confirms to your bias, look at where this 'study; comes from.

      And the divsion of responsibilities in a government agency's is a strength, not a flaw.

  • Our (Dutch) police have a new computer system that is so bad the consensus is now to abandon it and start again from scratch. It has cost lots of hundreds of millions of euros.

    • by tsa (15680)

      Replying to myself I know, but I forgot the other debacle: our new train ticket system which is very buggy, insecure and has also cost loads of taxpayer's money.

  • This isn't a study.

    This is a press release declaring that everyone who is not already their client has a desperate need for Veracode's services. No different than when Norton sends out a "study" that shows how terribly dangerous the internet is or how much malware exists for smartphones.

    This just sounds like they're angling to get themselves some more government business. And you know, kudos for them.

  • by Tridus (79566) on Wednesday March 14, 2012 @04:27PM (#39357269) Homepage

    Governments are prone to several problems that cause serious problems with program quality. Speaking as a government programmer, starting with the biggest problem:

    1. Consultants. Anytime you have someone external come in and build the code, they don't know anything about the business. They build whatever the spec is (hopefully). In my experience in government, specs are usually very bad at explaining what the users actually need. You need to understand the business in question pretty well to do that. Someone who actually understands how Environmental Inspection & Enforcement is done will be able to write a better program to do it then some guy who is just reading what a word doc says to build, because the first person has the knowledge to know when the spec is wrong.

    And that's on a good day. Then you get the consultants who use crappy obsolete technology to throw stuff out quickly, hoping to get more money to fix it later. It won't integrate with anything else, because other consultants did that. When it needs changes because of legislative changes to the business put in by the politicians, nobody is going to know how to change it. It's an expensive and ineffecient model.

    Whenever you hear about a $300 million system that didn't work, the odds are good a lot of consultants were involved.

    2. Scope creep. Governments are infamous for this. They say we're going to do X. Then another branch jumps in later, now we're doing Y. Then another one. Oh, then there is a department merger and we need it to also work for some other department. Then there's an election and the priorities all changed. Good luck keeping up with that. It's made even worse if you're trying to do the project as one giant release that's all things to all people.

    What governments need to do in order to deal with this inevitable problem is split projects up into phases and deliver smaller pieces. It's a lot better to get the first piece out there and in use in a relatively short timeframe then it is to try and build the entire mega-solution at once.

    3. It's easy for government employees to become insular, because government is different from the rest of the industry. It's a trap to fall into where you don't keep up with what's new and changing just because you don't particularly need to. Given enough time, skills can become lax and obsolete. It's something that can be dealt with, but employees have to be encouraged to keep learning.

  • where the p[people don't realize the 'government' isn't one group, one set of funds, or one set of guideline.

    Oh wait? they sell a product? and don't release the details of said study? Maybe they do understand why a general grab at the generic label 'Government' makes for a misleading results.

  • and are even paid extra to fix their bugs after creating them.

    this is the standard procedure when you, the client, approve work without kicking the tires. obviously there are some exceptional situations, and some legalese is required. if you don't want to pay for bugs to get fixed, either don't approve them or get a warranty. nobody writes bug-free code, that's a myth inherent in non-programmers. but on the whole, if you buy something without warranty, you get what you get. that's the whole point of charging extra for warranties.

    if i'm a landscaper and i plant the

  • NOT Confirms. (Score:4, Informative)

    by Atzanteol (99067) on Wednesday March 14, 2012 @05:00PM (#39357683) Homepage

    Concludes, not confirms. Studies do not confirm anything (unless done by Netcraft).

  • The slight difference in percentages really surprised me. Somehow I expected better of the private sector.

    I have seen quite a few "Government" built software applications. 40% of the time it is a single person or kid just out of college with no or not much experience that works in that group and was asked to create it because they have programming experience on their resume. Another 40% of the time it is someone who bid low on it and is frantically posting to forums and groups asking for help with their wor

  • Because as anyone who's ever had to engage the government on any outsourcing or code maintenance deal knows that the government's list of security 'requirements', application testing criteria, security and encryption demands, documentation standards, SLA's and standards compliance stretches from here to the fucking moon making regulatory and audit compliance insanely expensive and almost guaranteed to fail.

  • by Zoxed (676559) on Thursday March 15, 2012 @07:37AM (#39362451) Homepage

    I know that Slashdot has just copied the article title, but it seems incorrect:

    - The article only seems to discuss security: this is only one class of bug.
    - Surely a bug is a mismatch between the requirements and the implementation. If certain security criteria are not required, then it is not a bug if they are not met !

    I suggest the title should be more like "Study Confirms The Government Produces The Least Secure Software".

Whoever dies with the most toys wins.

Working...