We recently released the "State of Software Security Volume 6: Focus on Industry Verticals." This is the first State of Software Security report that has a specific focus on industry trends, and some of the results are causing me to have déjà vu. For example, compare this recent headline from Re/Code: "Why the Federal Government Sucks at Cyber Security" to a ZDNet article from 2013 resulting from the State of Software Security Volume 5: "Chris Wysopal, Veracode: U.S. Government worst at data security."

Look familiar? The headlines haven't changed, and the statistics haven't improved much either. In volume 6, we found:

- Three out of four government apps fail the OWASP Top 10 upon initial assessment.

- 40 percent of applications had at least one SQL injection vulnerability.

No wonder the Office of Personnel Management (OPM) suffered such a cataclysmic breach and is now forced to shut down its background investigation portal. This breach compromised more than 4 million records, exposed up to 18 million individuals' personal information and sparked a national conversation about the government's ability to secure private information.

The problem is the same systems that are meant to make background checks, submitting tax returns and other tasks simpler and more convenient often open the door for cybercriminals. The OPM breach is a prime example of the prevalence of critical vulnerabilities in web forms. This is why the agency is suspending operation of the Electronic Questionnaires for Investigations Processing system. The investigation team evaluating the security of the OPM discovered a vulnerability in the web gateway, which is used to submit materials for background investigations. We need to start asking - how far does the rabbit hole go?

"The State of Software Security Volume 6" does not have specific data on the vulnerabilities in OPM applications, but we do have data about the industry as a whole, and it isn't positive. According to the "Verizon 2015 Data Breach Investigations Report," the number one cause of data breaches over the past eight years has been vulnerable software applications. Yet 70 percent of government applications have Cross Site-Scripting vulnerabilities, and 40 percent have at least one SQL injection vulnerability – two of the most exploitable vulnerabilities.

The government is relying on old programming languages like ColdFusion to develop applications. And these languages present more of an opportunity to introduce vulnerabilities. Additionally, our research found that when government agencies do assess their applications for vulnerabilities, they fix fewer of the flaws found than any other industry!

The combination of outdated programming languages and not fixing vulnerabilities when they are found is one of the reasons we are seeing so many breaches of government agencies. Perhaps the White House's decree that all agencies should "beef up" cybersecurity will help reduce the number of breaches. However, if agencies focus more on firewalls and endpoint security than the root of their problem – vulnerabilities – we will continue seeing these types of breaches in the government sector.

There is hope for those of us who are concerned about the security of the applications created by government agencies. Peiter Zatko, a respected computer security researcher, better known by the nickname Mudge, is going to explore ways to help the U.S. government make software more secure.

Good luck, Mudge, it looks like remediating vulnerabilities is the place to start.

About Jessica Lavery

Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.

Comments (6)

Hofo | July 7, 2015 11:58 am

You're laying this at the feet of the "outdated programming languages"? What about the inadequacies of the developers and architects? Surely you're not coming that it's impossible to write insecure applications in languages as modern as C#?

Brad Wood | July 7, 2015 12:12 pm

"The government is relying on old programming languages like ColdFusion to develop applications. And these languages present more of an opportunity to introduce vulnerabilities."

ColdFusion is not an old language. The latest update just came out this year. ColdFusion also hasn't been around any longer than say, Java, PHP, Ruby, Phython, or JavaScript.

Furthermore, my research has shown that ColdFusion actually has had fewer reported security vulnerabilities than many of these other mainstream languages.

Please share your sources or research to shows to be CF older or more insecure than other mainstream languages.

Jonathon Lucas | July 7, 2015 12:32 pm

This is an interesting article but it would have been interested to hear in more detail about "The government is relying on old programming languages like ColdFusion to develop applications". If you know anything about coding languages then you will know that ColdFusion isn't out of date when version 11 was released in April 2014 and ColdFusion 12 is in planning/development right now. The last patch for CF11 was released not that long ago which contained security fixes and standard bits and bobs.

Any coding language can have security flaws in them, PHP is one of the most hacked languages because of poor coding and hardly ever due to the flaws in the language it self.

If you are ever unsure on code please do bring in advice from either experts in that field or a security company with knowledge of this. People shouldn't fear coding languages because of poorly written blog articles, they should be careful of the code its self - but saying that any good developer will know what to be careful of.

Thanks for reading :)

Adam Cameron | July 7, 2015 1:16 pm


It'd be quite cool if your blog comments joined us in the 21st century and preserved paragraph breaks :-/


jlavery | July 7, 2015 1:32 pm

To answer some of these questions – no, we are not pinning the presence of vulnerabilities solely on the shoulders of the programming language. Coding practices play a huge part in it, as do security policies. I was simply point out what our data suggests – that some languages are more likely than others to create opportunities for vulnerabilities. As our full report states, “the low pass rate (24 percent) in government may be partially explained by the higher use of scripting languages and older languages such as ColdFusion which are known to produce more vulnerabilities, but cannot be entirely ascribed to this. Other factors such as the lack of regulatory demands that are present in other fields like healthcare, may also contribute to the lower first-pass rate”. (https://info.veracode.com/state-of-software-security-report-volume6.html)
I’d like to also point out, that the use of certain program languages can only contribute to the vulnerabilities in the first security assessment. Languages used has nothing to do with the low mitigation rate.
We did not mean to imply the use of ColdFusion is the only reason for low pass rates. I should have included the rest of the analysis, and will update the statement.

Brad Wood | July 8, 2015 3:30 pm

Thanks for the clarification, Jessica. I can understand that site developed in CFML by CFML programmers in organizations who use CFML might show a trend of containing vulns, but your article seems to imply that CFML *as a language* is inherently less secure. The link in my first comment shows this to not be true.

Also, I would suggest there is an unfortunate correlation in the environments where CF is common (ent, gov) to not be on the leading edge of technology, security, or best practices. That is a grievance that should be leveled at the cultures of those organizations, NOT the language they happen to use on a particular project.

You still haven't addressed why you decided to call ColdFusion "old". This is uneccessarily degrading and laughable when looked at in context. An article listing the top-used technologies used in web development shows these:
- HTML (22 yrs old)
- CSS (19 yrs old)
- JavaScript (20 yrs old)
- PHP (20 yrs old)
- C# (15 yrs old)
- Java (20 yrs old)
- Python (24 yrs old)
- Ruby (20 yrs old)
- Perl (28 yrs old)
- CFML (20 yrs old)
- SQL (41 yrs old!!)

The *average* age of these technologies is over 22 years old. Seeing as how CFML is *below* that average, how can you write on your blog that someone using CFML is using an "old" technology? Were you misinformed or just exaggerating the facts to make a better story?

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.