A new report out today from the software security firm Veracode found that civilian federal agencies — those largely unconnected to the military or intelligence communities — rank dead last in fixing security problems in the software they build and buy.
That’s particularly relevant given that the massive hacking attack on the U.S. federal government’s Office of Personnel Management has exposed the personal information of at least four million people, and that number is likely to grow as the criminal investigation proceeds and more information comes to light.
The attack on the OPM, likely carried out by a group based in China, was significant for the damage caused, but it’s only the latest in a long string of computer security incidents at federal government agencies, the numbers of which have increased by more than 1,100 percent since 2006.
Veracode, based in Burlington, Mass., runs a cloud-based service that audits the source code of software applications for security vulnerabilities. The report documents the results of these scans carried out over the course of 18 months, ending in March, of 208,670 applications for its customers in both the private and government sectors. And it doesn’t make government IT managers look good.
The firm examined how often software used by its customers contained security flaws, how often those applications complied with widely accepted security standards, and how often vulnerabilities were fixed.
The company found that Web applications in use by federal agencies failed to comply with security standards 76 percent of the time. The standards, created by the nonprofit Open Web Application Security Project, are widely used across the Web. By comparison it found that the financial services industry complies with OWASP 42 percent of the time.
It gets worse: Veracode also measured how often and how quickly software security flaws are fixed after they’re found. During the 18 months covered by the report, Veracode discovered a total of 6.9 million security flaws, of which its customers fixed 4.7 million. But when you break down the tendency to fix those flaws by industry, government agencies ranked dead last again. Veracode found the agencies patched the flaws found in their software only 27 percent of the time. By comparison, companies in the manufacturing sector fixed their flaws 81 percent of the time.
Why aren’t government agencies fixing their flaws? Because no one is requiring them to do so, says Veracode CTO Chris Wysopal. “They don’t fix them because there’s no regulation or compliance rules that require it,” he said in an interview with Re/code.