It turns out that the security state of their applications is pretty abysmal too.
But first, let’s take a look at what the Government’s report card looks like for their job rating. Gallup has asked Americans each August since 2001 to indicate whether they have positive or negative views of a list of business and industry sectors. The 2011 update is from Gallup's Aug. 11-14 survey.

The federal government has been near the bottom of the list in this survey in previous years, but is at the absolute bottom this year for the first time, displacing the oil and gas industry. Only 17% of Americans have a positive view of the federal government -- the lowest of any sector tested this year -- while 63% have a negative image.

Now let’s take a look at how Government applications (representing US federal, state and local government applications processing critical data such as PII, national security data and operating critical systems) fared when measured against other industry sectors in Veracode’s State of Software Security report, Volume 4.

Looks like they were rock bottom on our list too! Only 16% of Government web applications passed when first tested against OWASP Top 10 and only 18% of Government non-web applications passed when first tested against CWE/SANS Top 25. I know they measure different things but I am struck by the symmetry of these numbers – 16% pass rate on web apps, 17% positive job approval rating, 18% pass rate on non-web apps!

Cross-site Scripting and SQL Injection were also found to affect a higher percentage of Government applications than other industry sectors. 75% of Government web apps had XSS issues compared to 67% in the finance sector and 55% for the software sector. 40% of Government web apps had SQL Injection issues compared to 29% for finance sector and 30% for software. What was even more worrisome was that the SQL Injection trend was flat for Government applications while declining in our overall dataset.

A partial explanation of this poor performance may be offered by the fact that Government applications we tested utilized a higher percentage of ColdFusion than other industry segments and we have found that ColdFusion has a higher incidence of XSS issues as compared to other platforms. ColdFusion also tends to be used by less experienced developers for creating web applications with greater ease. These developers are also less likely to be experienced in secure coding practices. Another reason could be the lack of strict requirements for application security testing and let’s face it mandates drive so much activity in this sector. With half a dozen or more cybersecurity bills in various stages of the legislative process it is clear that lawmakers and government executives are finally turning their attention to the protection of the nation’s information infrastructure. Let’s hope that they learn from this poor showing and take the appropriate steps both legislatively and in terms of planning their application security initiatives for 2012.

Veracode Security Guides
Data Security Resources

About Sam King

Sam King is the executive vice president of strategy and corporate development and General Manager of the mobile division at Veracode. In this role, Ms. King oversees product management, corporate development and execution, M&A activities, and building key industry and strategic alliances as well as the overall direction of the Veracode’s mobile product line.

Comments (2)

Crisco | January 10, 2012 5:49 pm

I think if you took a look at what the government pays a cyber security professional in comparison to industry, a lot of these statistics would start to add up.

Sam King | January 11, 2012 9:00 am

You make a good point, Crisco. However, the unfortunate truth is that other industries, while better than the Government aren't doing so well either. There is a lot of room for improvement across the board. Better pay may attract better cybersecurity talent but there are still only so many of these professionals available for hire. There is a scarcity of this skill-set in the market. That is why we recommend augmenting the resources you do have with automated technologies to scale the solution to the size of the problem you are dealing with. Relying on human expertise alone won't cut it. We also stress the importance of developer education - if we can prevent the most commonly exploited vulnerabilities from being present in software to begin with we reduce the amount of low hanging fruit available to hackers.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.