US government writes the worst software

The US government currently holds the reputation as being the writer of some of the worst software code in the world.

Insecurity researcher and chief technology officer of bug-hunting firm Veracode, Chris Wysopal, is planning to tell delegates at the Black Hat Europe security conference in Amsterdam later this week that US government software developers are allowing significantly more hackable security flaws to find their way into their code.

He has been looking under the bonnet of 9,910 software applications over the second half of 2010 and 2011, scanning them for errors that a hacker can use to hit a website or a user’s PC.

Eight out of ten apps failed to fully live up to the company’s security criteria, but breaking down the results between US. government and private sector, the government software came out ranked as garbage.

When it tried to measure the collection of apps against the Open Web Application Security Project standard, he found that 16 percent of US government web software were secure, compared with 24 percent of finance industry software and 28 percent of commercial software.

Using the SANS standard to measure offline software, the study found that 18 percent of government apps passed, compared with 28 percent of finance industry apps and 34 percent of commercial software.

While the private sector coding was pretty much rubbish, it was a lot better than anything the government was coming up with.

Web applications were particularly bad. More than 40 percent of government web apps were vulnerable to SQL injections. For cross-site scripting, which allows an attacker to inject his or her own code into a website, 75 percent of government-written applications were vulnerable, compared with 67 percent in the finance industry and 55 percent of commercial software.

Alan Paller, researcher director of the SANS Institute, told Forbes that the reason for the difference is thanks to the private contractor system in the US that rewards bad coding.

Private sector software writers who write insecure code for the government get paid extra in contract add-ons to fix the problem. Those in the private sector find that they are embarrassed and tend to be fired.