Bug hunting firm Veracode has analyzed 9,910 software applications over the second half of 2010 and 2011, and found that software created by government employees contains significantly more exploitable security flaws than code created by their private industry counterparts. Software developers in the private sector shouldn't pat themselves on the back though, the results of the study aren't very favorable for them either.
Full details at Forbes.
According to Veracode’s analysis across industry and government, fully eight out of ten apps failed to fully live up to the company’s security criteria. But breaking down the results between U.S. government and private sector software, the government programs, 80% of which were built for federal agencies rather than state or local, came out worse. Measuring its collection of apps against the standards of the Open Web Application Security Project or OWASP, Veracode found that only 16% of government web applications were secure, compared with 24% of finance industry software and 28% of commercial software. And using criteria of the security-focused education group SANS to gauge offline applications, the study found that 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software.
“The government acts like security is the problem of the commercial sector and they’re going to regulate everyone,” says Veracode’s Wysopal. “But if you look at this, private industry is definitely ahead of government.”