Networked Enterprise Featured Article

Considering that the government may be not only one of the biggest holders of personally-identifiable information, but perhaps the biggest issuer of such information, it's not hard to see where people would prefer that that information be safe. A data breach at the government level could be a disaster, and a new report suggests the news is only getting worse as application security at the government level is falling off.

The report from Veracode revealed some shocking points. Fully three out of four applications that government organizations routinely turn to are not compliant with primary security policies on at least some level. That's bad enough, but there's worse afoot; even when problems are actually found, only about 27 percent of these are reportedly addressed. The Veracode study reportedly tackled over 200,000 applications over the last 18 months, suggesting a good broad pool.

Indeed, the report found that just 24 percent of applications were compliant with the OWASP Top 10, a list that represented the 10 most commonly-seen vulnerabilities in Web-based applications. The OWASP Top 10 also offers elaboration on just what kind of risks are involved, examples of coding and how to avoid the mistakes that would put an organization at risk.

The news only gets worse when compared to similar studies of private sector apps. The financial services sector, for example, had a compliance rate around 42 percent, or nearly double that of the government's numbers. The manufacturing sector generated 35 percent compliance with the OWASP Top 10, and technology firms' apps were at 32 percent. Healthcare was slightly behind at 31 percent, and the retail and hospitality sectors came in at 31 and 30 percent respectively.

It may strike some as ironic that fields that are heavily regulated—like financial services and healthcare—are actually doing better on security than the regulators, but Veracode's chief technology officer Chris Wysopal offered up some enlightenment on just why there was such a lag in security. Wysopal noted that the government uses quite a bit of legacy code for its applications; it's not out of line to see Classic ASP or ColdFusion in government apps, and these were languages popular back in the 1990s. Other industries have made changes to languages offering better, faster performance, and that's provided some security benefits as well. But as understandable as these points may be, it's still little excuse for the low rates of fixes that take place. The manufacturing sector, for example, reportedly patches its application flaws at a rate of around 80 percent.

It's clear that the government needs to do more in terms of security for its apps. It's a bad sign when the organizations it regulates actually do a better job of security than the organization issuing the regulations in the first place. Considering how much extremely sensitive information the government has, being one of the lowest ranks in a study is a bad sign in and of itself. Though it wouldn't be so bad if there were just a better rate of incidents getting fixed, but having both problems at once is perhaps the worst state to be in.

Still, knowing the problem exists is half the battle, and if the government can pick up on this issue and get some fixes going, it would go a long way toward settling the problems it clearly has based on these tests.