http://www.forbes.com/sites/andygree...iest-software/
"Study Confirms The Government Produces The Buggiest Software
Humans aren?t generally very good at writing secure code. But it seems they?re even worse at it when they?re an employee of a government bureaucracy or hired as unaccountable federal contractors.
In a talk at the Black Hat Europe security conference in Amsterdam later this week, security researcher and chief technology officer of bug-hunting firm Veracode Chris Wysopal plans to give a talk breaking down the company?s analysis of 9,910 software applications over the second half of 2010 and 2011, automatically scanning them for errors that a hacker can be use to compromise a website or a user?s PC. And one result of that analysis is that government software developers are allowing significantly more hackable security flaws to find their way into their code than their private industry counterparts.
According to Veracode?s analysis across industry and government, fully eight out of ten apps failed to fully live up to the company?s security criteria. But breaking down the results between U.S. government and private sector software, the government programs, 80% of which were built for federal agencies rather than state or local, came out worse. Measuring its collection of apps against the standards of the Open Web Application Security Project or OWASP, Veracode found that only 16% of government web applications were secure, compared with 24% of finance industry software and 28% of commercial software. And using criteria of the security-focused education group SANS to gauge offline applications, the study found that 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software.
?The government acts like security is the problem of the commercial sector and they?re going to regulate everyone,? says Veracode?s Wysopal. ?But if you look at this, private industry is definitely ahead of government.?