Congress is demanding code audits for Guess what: they’re right!


In a letter dated May 1, Representative Lamar Smith of Texas, the Chair of the House Committee on Science, Space and Technology, asked Gene Dodaro, the Comptroller General of the Government Accountability Office (GAO) to expand an audit of the web site. As reported by, Smith asked the GAO to add “penetration testing, source code analysis, a review of the developer supply chain, and an examination of secure code practices through the software development cycle” to its audit.

Smith and fellow allies are right-on in their demand that the GAO’s audit of should include the underlying web application code, development practices and the code of third-party “supply chain” partners that contributed to the site.

heartbleedFor one thing, Smith’s request comes in the wake of the Heartbleed vulnerability, a dangerous security hole in OpenSSL, an open source component that was used in as well as millions of other web sites. Presumably, Smith’s call for a review of’s software supply chain is designed to identify other vulnerable components or modules that might be powering

The other point is that an audit of a high-profile web site that serves millions of Americans and collects sensitive personal and financial information absolutely must include both manual and automated penetration testing (how this site will withstand attacks) as well as a code audit - a hard look at the underlying code that makes up the site.

According to, however, the GAO’s ongoing audit only mentions "an architecture review, vulnerability testing and examination of the monitoring and incident detection capabilities of the website."

While we don’t know exactly what went into the stew, we know that the development of the site was chaotic. The site was woefully behind schedule when it launched in October – as evidenced by the immediate failure of the portal.

The government has since fired the lead contractor, CGI Federal. Also, since the launch, security researchers who have audited parts of the site have raised concerns that it lacks proper security controls and even suggested that the site be shut down. David Kennedy of the firm TrustedSec warned that the site was “not developed with security in mind,” and therefore will take longer to fix.

The problem, of course, is that the security problems with aren’t just technology problems – they’re evidence of larger cultural and management failings on the part of many large organizations. As this blog noted last week, security testing needs to be part and parcel of the development plan. And, when issues are discovered as part of that testing, there needs to be a plan in place to remediate them. Simply knowing about vulnerabilities isn’t useful if an organization lacks the ability or will to address them.

About Paul Roberts

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Comments (1)

Dave Ferguson | May 12, 2014 3:27 pm

Right-wing attacks? Did I visit by mistake? This is not the place to express political views. The first 3 paragraphs and the last paragraph are suitable for NPR, Boston Globe, and/or, not Veracode.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.