Writing secure code is not an easy thing to do. But for sure anyone can perform a better job at this than the one who is employed by the government apparently. According to Forbes, Chris Wysopal, who is security researcher and chief technology officer of bug-hunting firm, Veracode, says that he will give a briefing on the analysis of 9,910 software applications from 2010 to 2011. His company has automatically scanned them for errors which a hacker can use to his advantage for breaking in or a user’s PC for that matter.
The overall conclusion that his company has arrived at is that government software developers are not good at making hackable-proof security software and their products have more security flaws than private creators. Their software codes are easily broken into. The situation is really much worse as the company shows results in which 8 out of 10 apps have failed to pass through the security criteria.
This explains why hackers easily have been poking the U.S. government and its federal agencies, especially the FBI, because they are so easily breakable. The study that the company has carried out also show that 80% of the government programs that have been built for federal agencies are even worse. Only 16% came out secure according to the standards of the Open Web Application Security Project or OWASP, whereas the commercial industry produces better results at least compared to the government ones at 28%. About this situation Wysopal said:
“The government acts like security is the problem of the commercial sector and they’re going to regulate everyone. But if you look at this, private industry is definitely ahead of government.”
In fact, the vulnerability that the government web apps produce is the very loophole behind which Anonymous and LulzSec actually went in through to hack according to the study. The database was hijacked in this very way. 75% of the government-written applications are vulnerable as their codes could be hacked into and written by the hackers as they please. The researcher director of the SANS Institute, Alan Paller explains why this is the case:
“The consequences for private sector software writers who write insecure code in commercial software is high costs for patching along with substantial embarrassment for their companies and job insecurity for them. In contrast, the consequences for private sector software writers who write insecure code for the government is contract add-ons to fix the problem, and more revenue for their companies and job security for them. You’d think they’d be really worried about someone asking a fix to a security problem. But those are just called change orders. And that’s how a project manager makes his bonus. I’m not claiming that contractors aren’t trying to do the right thing. But this is how the incentives are built.”
[ttjad]