Please create an account to participate in the Slashdot moderation system


Forgot your password?
Government Bug Programming Security Your Rights Online

Study Confirms the Government Produces the Buggiest Software 135

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."
This discussion has been archived. No new comments can be posted.

Study Confirms the Government Produces the Buggiest Software

Comments Filter:
  • Contractors (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 14, 2012 @01:48PM (#39355083)

    Unfortunately, all the outsourcing going on in the Government (because it's easier to get money for a contract than to hire a developer on a permanent basis) is what's really killing the code here. Most outsourcing firms have a "throw the code over the wall" attitude, and spend more time deflecting blame for bugs than trying to fix them. I can't think of a business where there's less accountability than Government contracting, except possibly foreclosure management....

  • I can attest to this (Score:5, Interesting)

    by Reverand Dave ( 1959652 ) on Wednesday March 14, 2012 @01:49PM (#39355107)
    I work for a government agency and I can swear this to be the absolute truth. I believe the reason to be a lot of politicking in management and not enough actual IT experience. No one wants to step on toes or else it might come back to bite you later when you need funds for a project so when user X asks for feature Y in software Z and there is no way it can be implemented without hacking together a mess of SQL query strings that may or may not work, well then you do it, because if you don't do it. User X may at one point be on a committee that can divert funds from your server or software upgrade budget.
  • Yes. (Score:5, Interesting)

    by Cantide ( 743407 ) on Wednesday March 14, 2012 @01:51PM (#39355137)
    I was a software tester for the DoD and can confirm the stupidity here. (I can't really talk about the exact program but I can tell you with 100% certainty that it was mission critical.) We were contracted to run massive amounts of automated testing on the latest build of the software I was working on. Upon finding bugs, we needed to do regression testing... to decide if we would fix them in the latest build, because if they were present in previous versions we were under no obligation to do so unless specifically paid to do so.
  • by Liquidrage ( 640463 ) on Wednesday March 14, 2012 @02:28PM (#39355717)
    Of course now the government is switching to agile/scrum (as opposed to the prior methodology of OMFGRAD) en masse so that requirements are gathered on the fly/after the fact and collected on sticky notes and discussed for 10 minutes a day. Because hell, if you can't get good requirements might as well have a methodology that minimizes the need for them.

    Of course, considering almost all government software is dictated by business logic and legislation and often rely on existing legacy systems that can't be easily changed, I don't think it's exactly wise. I gag every time the cafe-latte sipping PM's gush about switching over toe scrum on another project so I can spend twice as long building software because my requirements are even worse now. But hey, it has a catchy name, it must be good for government work. We're all so grown up now.

    It's not like a can get a high level requirement that I need to capture user information and go build a user screen in the government world. Every freaking little detail is going to be exacted upon on a user screen with rules and laws (and legacy systems) dictating what I can and can't do what is and isn't there and how it interacts with other systems. It's not that agile/scrum is always bad. It's just a square peg in a round hole of current government in most cases.
  • by El Torico ( 732160 ) on Wednesday March 14, 2012 @03:16PM (#39356415)
    The profit motive is part of it, but only a part. Usually, the customer has undefined or poorly defined requirements and grossly incompetent management. I was once part of a program in which the government representative refused to provide the security standards and criteria that the system would be judged upon. We had conflicting standards to reconcile and every request for guidance or additional information was ignored.
    That was only part of the problem. The network design was provided by the government and it was a complete mess; we couldn't change it either.
  • This isn't a study.

    This is a press release declaring that everyone who is not already their client has a desperate need for Veracode's services. No different than when Norton sends out a "study" that shows how terribly dangerous the internet is or how much malware exists for smartphones.

    This just sounds like they're angling to get themselves some more government business. And you know, kudos for them.

  • by geekoid ( 135745 ) <dadinportland&yahoo,com> on Wednesday March 14, 2012 @04:51PM (#39357597) Homepage Journal

    Did you read the report? no, of course you didn't. Unless you are explaining the code developed by the private sector for the government is marginal more buggy? And the the study is worth a damn.

    I work for a government agency. You're whole description sound a hell of a lot more accurate to my experience in the private sector then the public sector.

    Anecdotal experiences: Two Tales...

    Private sector:
    One time I got called on the carpet because I didn't list the names in my email address list in the 'appropriate order'. Putting a middle management person before the VP.. what nerve I have. I have many takes of correcting someone and being labels trouble maker. The financial sector sucks eggs.

    Public sector:
    Told a Bureaus head he was wrong, listed why. He Thanks me for speaking up and saving them from an expensive mistake.

Did you hear that two rabbits escaped from the zoo and so far they have only recaptured 116 of them?