It turns out that the security state of their applications is pretty abysmal too. But first, let’s take a look at what the Government’s report card looks like for their job rating. Gallup has asked Americans each August since 2001 to indicate whether they have positive or negative views of a list of business and industry sectors. The 2011 update is from Gallup's Aug. 11-14 survey.

Aug. 11-14 survey

The federal government has been near the bottom of the list in this survey in previous years, but is at the absolute bottom this year for the first time, displacing the oil and gas industry. Only 17% of Americans have a positive view of the federal government -- the lowest of any sector tested this year -- while 63% have a negative image. Now let’s take a look at how Government applications (representing US federal, state and local government applications processing critical data such as PII, national security data and operating critical systems) fared when measured against other industry sectors in Veracode’s State of Software Security report, Volume 4.

OWASP Top 10 Compliance by Industry on First Submission

Looks like they were rock bottom on our list too! Only 16% of Government web applications passed when first tested against OWASP Top 10 and only 18% of Government non-web applications passed when first tested against CWE/SANS Top 25. I know they measure different things but I am struck by the symmetry of these numbers – 16% pass rate on web apps, 17% positive job approval rating, 18% pass rate on non-web apps!

Cross-site Scripting and SQL Injection were also found to affect a higher percentage of Government applications than other industry sectors. 75% of Government web apps had XSS issues compared to 67% in the finance sector and 55% for the software sector. 40% of Government web apps had SQL Injection issues compared to 29% for finance sector and 30% for software. What was even more worrisome was that the SQL Injection trend was flat for Government applications while declining in our overall dataset. A partial explanation of this poor performance may be offered by the fact that Government applications we tested utilized a higher percentage of ColdFusion than other industry segments and we have found that ColdFusion has a higher incidence of XSS issues as compared to other platforms. ColdFusion also tends to be used by less experienced developers for creating web applications with greater ease. These developers are also less likely to be experienced in secure coding practices. Another reason could be the lack of strict requirements for application security testing and let’s face it mandates drive so much activity in this sector. With half a dozen or more cybersecurity bills in various stages of the legislative process it is clear that lawmakers and government executives are finally turning their attention to the protection of the nation’s information infrastructure. Let’s hope that they learn from this poor showing and take the appropriate steps both legislatively and in terms of planning their application security initiatives for 2012.

Veracode Security Guides
Data Security Resources

Sam King is the executive vice president of strategy and corporate development and General Manager of the mobile division at Veracode. In this role, Ms. King oversees product management, corporate development and execution, M&A activities, and building key industry and strategic alliances as well as the overall direction of the Veracode’s mobile product line.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu