It turns out that the security state of their applications is pretty abysmal too. But first, let’s take a look at what the Government’s report card looks like for their job rating. Gallup has asked Americans each August since 2001 to indicate whether they have positive or negative views of a list of business and industry sectors. The 2011 update is from Gallup's Aug. 11-14 survey.
The federal government has been near the bottom of the list in this survey in previous years, but is at the absolute bottom this year for the first time, displacing the oil and gas industry. Only 17% of Americans have a positive view of the federal government -- the lowest of any sector tested this year -- while 63% have a negative image. Now let’s take a look at how Government applications (representing US federal, state and local government applications processing critical data such as PII, national security data and operating critical systems) fared when measured against other industry sectors in Veracode’s State of Software Security report, Volume 4.
Looks like they were rock bottom on our list too! Only 16% of Government web applications passed when first tested against OWASP Top 10 and only 18% of Government non-web applications passed when first tested against CWE/SANS Top 25. I know they measure different things but I am struck by the symmetry of these numbers – 16% pass rate on web apps, 17% positive job approval rating, 18% pass rate on non-web apps!
Cross-site Scripting and SQL Injection were also found to affect a higher percentage of Government applications than other industry sectors. 75% of Government web apps had XSS issues compared to 67% in the finance sector and 55% for the software sector. 40% of Government web apps had SQL Injection issues compared to 29% for finance sector and 30% for software. What was even more worrisome was that the SQL Injection trend was flat for Government applications while declining in our overall dataset. A partial explanation of this poor performance may be offered by the fact that Government applications we tested utilized a higher percentage of ColdFusion than other industry segments and we have found that ColdFusion has a higher incidence of XSS issues as compared to other platforms. ColdFusion also tends to be used by less experienced developers for creating web applications with greater ease. These developers are also less likely to be experienced in secure coding practices. Another reason could be the lack of strict requirements for application security testing and let’s face it mandates drive so much activity in this sector. With half a dozen or more cybersecurity bills in various stages of the legislative process it is clear that lawmakers and government executives are finally turning their attention to the protection of the nation’s information infrastructure. Let’s hope that they learn from this poor showing and take the appropriate steps both legislatively and in terms of planning their application security initiatives for 2012.