We recently released the "State of Software Security Volume 6: Focus on Industry Verticals." This is the first State of Software Security report that has a specific focus on industry trends, and some of the results are causing me to have déjà vu. For example, compare this recent headline from Re/Code: "Why the Federal Government Sucks at Cyber Security" to a ZDNet article from 2013 resulting from the State of Software Security Volume 5: "Chris Wysopal, Veracode: U.S. Government worst at data security."
Look familiar? The headlines haven't changed, and the statistics haven't improved much either. In volume 6, we found:
- Three out of four government apps fail the OWASP Top 10 upon initial assessment.
- 40 percent of applications had at least one SQL injection vulnerability.
No wonder the Office of Personnel Management (OPM) suffered such a cataclysmic breach and is now forced to shut down its background investigation portal. This breach compromised more than 4 million records, exposed up to 18 million individuals' personal information and sparked a national conversation about the government's ability to secure private information.
The problem is the same systems that are meant to make background checks, submitting tax returns and other tasks simpler and more convenient often open the door for cybercriminals. The OPM breach is a prime example of the prevalence of critical vulnerabilities in web forms. This is why the agency is suspending operation of the Electronic Questionnaires for Investigations Processing system. The investigation team evaluating the security of the OPM discovered a vulnerability in the web gateway, which is used to submit materials for background investigations. We need to start asking - how far does the rabbit hole go?
"The State of Software Security Volume 6" does not have specific data on the vulnerabilities in OPM applications, but we do have data about the industry as a whole, and it isn't positive. According to the "Verizon 2015 Data Breach Investigations Report," the number one cause of data breaches over the past eight years has been vulnerable software applications. Yet 70 percent of government applications have Cross Site-Scripting vulnerabilities, and 40 percent have at least one SQL injection vulnerability – two of the most exploitable vulnerabilities.
The government is relying on old programming languages like ColdFusion to develop applications. And these languages present more of an opportunity to introduce vulnerabilities. Additionally, our research found that when government agencies do assess their applications for vulnerabilities, they fix fewer of the flaws found than any other industry!
The combination of outdated programming languages and not fixing vulnerabilities when they are found is one of the reasons we are seeing so many breaches of government agencies. Perhaps the White House's decree that all agencies should "beef up" cybersecurity will help reduce the number of breaches. However, if agencies focus more on firewalls and endpoint security than the root of their problem – vulnerabilities – we will continue seeing these types of breaches in the government sector.
There is hope for those of us who are concerned about the security of the applications created by government agencies. Peiter Zatko, a respected computer security researcher, better known by the nickname Mudge, is going to explore ways to help the U.S. government make software more secure.
Good luck, Mudge, it looks like remediating vulnerabilities is the place to start.