Study Confirms the Government Produces the Buggiest Software

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

Hah! See?

[No,+I+am+Spratacus!]

And you thought it was Microsoft...

Re:Hah! See?

[Jeremiah+Cornelius]

Private contactors, low-bidding, on the public's dime.

"We'll be here forever, boys. No need to get it right the first time."

Re:Hah! See?

Bidding?!

There ain't no business like no-bidness.

-- Ethanol-fueled

Re:Hah! See?

[Jeremiah+Cornelius]

It's like this in private-sector, too. Just so, in Government the objective is not profitablility - so th eoversight tends to be more severely lacking.

I watched a crappy little 2 man dev shop bilk a retirement planning group in a major finacial services corporation. They wrote crappy dBase code, with crappy multi-user kludges that all required lifecycle maintainance, patches, rewrites and updates. They could never port off of dBase/NetWare, and I finally helped evict them with the coming of IP networking.

Re:Hah! See?

[Pope]

"It isn't government work if you don't do it twice!" Jerry Gergich

Re:Hah! See?

Uhh.. did you even read the summary? The private sector was only had an additional 8% that was secure. That's so low of a difference it may even be within the margin of error.

Re:Hah! See?

Funny how where I am in Canada, the roads last for more than a year (usually), despite the winter.

Re:Hah! See?

[zephvark]

I think the problem is more that no decent programmer is going to be willing to work for the government. Working for the government or a highly-regulated industry means conforming to any number of pointless and horrible rules, created by people who have no idea what they're doing. It's soul-crushing, and no one would do it if they could possibly get a job elsewhere.

I recently helped a major bank update some of its internal software from 1980s QuickBASIC code (!) so it could run on Windows (!!)... it was badly-written stuff, with line numbers, sections of code that could never be reached, floating point equality comparisons that might not match, and other egregious flaws. In banking software that's been used for decades. Their email policy filtered out .BAS files, because the email administrator apparently confused .BAS files with VBscript, so I had to change the file extensions... until it turned out that their policy prohibited sending any source code "electronically", so I had to FAX print-outs for them to type in.

Of course their programmers were incompetent. Who would work in an environment like that?

Re:Hah! See?

That's because for most of the year the vehicles are wearing out the ice and snow on the roads and not the roads themselves ;).

Re:Hah! See?

[oh_my_080980980]

As opposed to soul crushing rules that corporations have....seriously get a clue. The private sector is just as bad, in some cases they have more red tape.

That's because there's no profit motive.

[MyFirstNameIsPaul]

Duh.

Re:That's because there's no profit motive.

On the contrary. Profit motive is exactly what caused this problem.
Contractors, motivated to get the greatest revenue for the least cost (time, effort, materials, whatever), created crap software. Since they don't suffer from producing crap software, they were simply working in their own (narrow view) best interest.

Perhaps if you were to hire employees that had motive to ensure the long term success of of a project (recognition, keeping your job) you'd get better results..

Re:That's because there's no profit motive.

[MightyYar]

So draft the contract such that the government (or some agent of the government... another bidder?) gets to report bugs and the service is not complete until the bugs are gone. Sure the bids will cost more, but it seems like an easy way to solve this particular problem.

Re:That's because there's no profit motive.

[Vaphell]

when both sides of the deal look after their interests, results tend to be a good bang for the buck spent. Government has no vested interest in getting a good deal and because of that it pretty much asks for being milked dry. On top of that the waste more often than not is rewarded with even more money in next year's budget.

Re:That's because there's no profit motive.

Few small challenges. 1st, you put that in the RFP, not just the proposal. Second, FAR's require a fixed period of performance for all contracts. Third, you sure as fuck don't want this on a service contract, or you'll get nothing but a level of effort from the contractor. Fifth, define "bugs". Sixth, do you really want to continue to pay $slimy_contractor to fix bugs that don't cause a real problem. Seventh, that still doesn't in any way give you any hope of actually getting a usable product. Your response is naive, foolish, and qualifies you to vote for the congressmen who have given us the fucked up acquisitions system.

Re:That's because there's no profit motive.

[rmstar]

Government has no vested interest in getting a good deal and because of that it pretty much asks for being milked dry.

Why is that? Just because you say so? What is that "government" you are talking about?

Government officials have a natural tendency, like anybody else, of trying to do a job they can be proud of. There are many reasons why they don't manage (just look at the Jefferson County disaster). But lack of interest in good results by officials is currently not the most important one.

Re:That's because there's no profit motive.

[skids]

Actually initial attitudes come into play here as well.

If there's a bagel shop that is owned by a guy who only catches 15% of shoplifters, and one which is owned by a guy who catches 25% of shoplifters, but the second guy has a reputation for getting his bagels lifted, shoplifters will go to the second guys shop preferentially, and he'll have more bagels shoplifted despite his vigilance.

As long as there is a general attitude that government == "cash cow" among the private contracting sector, whether or not the government gets better at holding contractors accountable, they will still be victimized more. If contractors suddenly changed their stripes and demonstrate some patriotism, the story would be entirely different.

Re:That's because there's no profit motive.

[MightyYar]

You completely misunderstand. They would certainly not get paid to fix bugs, and in fact the full payout would be withheld until they were fixed.

Do we really need to define bugs in a Slashdot forum? I suspect it would take pages of legalese and probably involve an arbitration mechanism.

Re:That's because there's no profit motive.

[El+Torico]

The profit motive is part of it, but only a part. Usually, the customer has undefined or poorly defined requirements and grossly incompetent management. I was once part of a program in which the government representative refused to provide the security standards and criteria that the system would be judged upon. We had conflicting standards to reconcile and every request for guidance or additional information was ignored.
That was only part of the problem. The network design was provided by the government and it was a complete mess; we couldn't change it either.

Re:That's because there's no profit motive.

[Rich0]

So draft the contract such that the government (or some agent of the government... another bidder?) gets to report bugs and the service is not complete until the bugs are gone.

Yeah, but would the guy writing the contract want to do that to the nice guy who takes 12 senators per month out to a really nice lunch, and makes sure they're always stocked with the latest gadgets/etc?

Re:That's because there's no profit motive.

You get what you pay for. Usually the lowest bid wins the contract.

Re:That's because there's no profit motive.

[PGGreens]

So how would you determine when the program is "bug free" or even "bug free enough"? I'm not sure a contractor would accept a flat payment to be received at the tail end of an indefinite span of bug fixes. But then again, maybe they would. Somebody tell me.

Re:That's because there's no profit motive.

[MightyYar]

I'm not sure how you would define "bug free", but I imagine some language could be constructed that would add only 3 or 4 pounds to the final draft. :) My inclination would be to hire a 3rd party on another contract that gets paid per found bug, with some kind of arbitration when disagreements arise.

Re:That's because there's no profit motive.

[gVibe]

I second that.

Re:That's because there's no profit motive.

No contractor that you would WANT working on your project would willingly work like this. They don't how to protect themselves from abusive partnerships; they most definitely don't know how to protect their code.

Re:That's because there's no profit motive.

[bill_mcgonigle]

Close - the government contractors certainly derive plenty of profit from the system. The problem is that they're 'government contractrors' - it's not a free market. With the market distortions in place that the governments set up, the profit motive in insufficient to produce quality. You need a competitive market for that.

Contractors

Unfortunately, all the outsourcing going on in the Government (because it's easier to get money for a contract than to hire a developer on a permanent basis) is what's really killing the code here. Most outsourcing firms have a "throw the code over the wall" attitude, and spend more time deflecting blame for bugs than trying to fix them. I can't think of a business where there's less accountability than Government contracting, except possibly foreclosure management....

Re:Contractors

People, including programmers, do what they get paid to do. In this case, creating buggy software gets you paid more so what are you gonna do? You're gonna write buggy software.

Re:Contractors

[BenEnglishAtHome]

I just retired from a long IT career with a fed TLA.

In all that time, there were two projects that stood out in my mind the most.

For the first one, a division needed software to automate their primary tasks. If such software could be implemented, it would essentially be where 20,000 people a day spent all their time and brought in billions of dollars. The solution they decided on was to survey the end users who were tired of doing everything on paper, find the ones who were the acknowledged computer geeks, then let them design and write the program. They actually turned field civil law enforcement officers into SAs and analysts and coders and let them build what they needed. It took years but when it was done, it was a thing of functional beauty. Actually, it was ugly as hell but it so perfectly met the needs of the field officers that I know of several who actually delayed their retirements so they could spend more time doing a job that was fun again because all the drudgery had been automated away.

Most. Successful. Project. Ever.

The other one I remember was the same sort of thing, a program that some 70,000 would spend all their time in. It was buggy from the start. The people who had to use it hated it. Every upgrade broke reports from the previous version. It was, obviously, done by contractors. At one point, development halted for almost 18 months because someone dropped a dime on the contract developer and their entire staff of Indian programmers with expired visas had to pack up and go back to Asia. The contractor folded up shop and getting another to step in, untangle the mess, and start moving forward was a royal pain.

My point?

Sometimes, coder skill is meaningless. If you have developers and architects and all those other job titles involved in software development who actually work for the government because, at least in part, they are proud to serve their country...then you get better software.

Government software should be created by government employees, not contractors.

Now I'll go back to my place in the 1950s, where I'm sure many of you will say I belong.

Re:Contractors

[Bogtha]

Yup. Government also produces the least buggy software. I believe NASA holds the record for fewest bugs per line of code.

Re:Contractors

i think it's unfair to judge all contractors as such. i've seen government employees sit on their ass because it's damn near impossible to fire them and they can't be matrixed or anything, so they just coast the last few years til retirement. i've seen contractors work their ass off because they have to basically re-bid every year to keep their job and there is always competition from another contractor that wants that job. Contractors have to keep proving themselves. Government doesn't. The real problem are the few problem child contractors that have connections with someone higher up so they keep winning because they know people. they hire shoddy developers and just get by because it's too much work to throw them off due to their connections and no one wants to rock the boat.

Re:Contractors

[Liquidrage]

100% no doubt. I've said time and time again I can fix a lot of state IT if I could do two things:
1. Fire people like it was the private sector
2. Pay competitive wages for new hires

What a lot of people don't realize about the gov, especially in IT, is if you take any 5 gov IT employees 2 are underpaid worthless cretins that should lose their job but the manager doesn't have 40 hours a week just to document their deficiencies because he/she is actually working. 2 are making what they're worth but are underskilled for the job and the pay reflects that, and one's a complete stud vastly underpaid and doing hero work to make sure things run. Obviously those numbers aren't exact science, but it's like that in a lot of places.

Re:Contractors

[f97tosc]

I think in general it is very difficult to have two groups of separate people, one who understands the problems, and another who understands how to write code.

IN theory you let the users write down a list of specifications, but it rarely works into problems. You always run into trade-offs and conflicts involving functionality vs complexity for example, only somebody who understands both the software and the problem situation can resolve this well.

I agree with you that the best solution is to have the users learn how to code, or possibly let the coders learn how to run the business. Unfortunately I think it is rare to find the right combination of talent. And certainly users without coding talent are not going to declare themselves incompetent to manage in business with increasing software content. And coders are all too comfortable letting somebody else specify what to code and not taking ownership for a product that actually adds value.

Re:Contractors

[Tridus]

You're absolutely right. I work as a programmer for the government and I see the same thing. The stuff that's built in house by any department (not just ours, but I think we do good work) tends to be better. We don't get paid extra to fix bugs - we just get unhappy users and lousy performance reviews for having lots of bugs. As part of the department we actually learn the business and can thus do a better job.

The stuff made by contractors is made to specification, if you're lucky. The problem is that the specification is usually wrong, because non-technical users don't have a clear grasp on what it is they actually need. The successful projects are very much iterative ones, because as soon as you give users something they'll be coming back with changes and new requests and other business areas will be impacted. It's inevitable.

The contractor model is great to make the friends of politicans a lot of money. It's a failure if you want good software.

Re:Contractors

At orbit high cost.

Re:Contractors

Actually, in my experience (as a government IV&V entity) that's only half true.

The "throw the code over the wall" part is there. However, they're happy to admit the bugs are there. Because data rights to the code are often retained by the contractor, and they are HAPPY to try to fix the bugs, because they are kept on a T&M contract to repair any problems the government finds. Which just means more work and more pay for them.

Re:Contractors

Now the reason that the first project was so successful, was because you had real Subject Matter Experts (SME's) who could articulate what they do logically and turn that into usable code. This project would have worked even better if you had brought in some real/good coders and an Architect to help the SME's along. The SME's owned this one and helped drive it. This will always end with success.

Coders do not really need to understand the "business" as long as there are SME's that can articulate what they do logically. Also, your processes cannot be a clusterfuck kludge of shit. This is what all that Use Case shit is about, getting the logical process from the SME's written down so that the coder can turn that into something.

Now if coders/consultants/whoever comes in and tries to create something without dealing with the SME's, and a manager is usually NOT an SME, then your project is already dead. SME's define the Use Cases and SME's run the Test Cases. They decide when it is done and ready for deployment.

Re:Contractors

No, having spent the better part of the '00s in federal IT contracting, you belong in Washington, as a lobbyist, with the goal of gutting the hell out of that abomination known as A-76.

Re:Contractors

[geekoid]

1. See, that's the PROBLEM with the private sector. One you can just fire people, you end up with an entrenched attitude of 'Do what I say or else'. Which is fine for a genius like you, but mostly you end up with a high turn over rate.

Making it difficult mean people can speak up. They can tell a bureau chief why they are wrong and not get fired. THIS is what bring quality, depth of knowledge, and honest opinions and view out into the open.

Contrary to what a lot of people thing, it isn't impossible to fire someone. It make take time, becasue they treat their employees like that are human beings

2. the wages aren't horrible. I could make 30% more in the private sector, but my benis are solid, and I like having a life.

The rest of your post is just ignorant. I've seen peopel get fired. It went like this

1) Bad review with detailed list of whats wrong* I've seen people change the work attitude at this point and become better employees.

2) Verbal warning after 3 months. *again,. seen poeple change at this point

3) written warning - never seen anyone recover from here

4) out the door. 3-6 months, and this includes union.

What really helps is the 9 months grace period. Frankly, if you are lazy, you won't make it 9 months without the become obvious.

Re:Contractors

[Liquidrage]

Most of the people in IT in government have been around far longer then 9 months. While I move around on average every 3 years or so to keep a skill set current and move onto to other projects or opportunities, many, if not most, of gov IT has been around for years and years in the same place.

Are there managers that do that BS firing because they don't like people? Yes. Are they the minority? Yes.

Does the private sector have places taht take advantage of IT work force? Absolutely. Does the private sector pay more, yes.

If you're competent and willing to take a little less for the lifestyle differences, there's no problem unless you end up with a poor manager. When in state government I basically use very little time management when running projects as long as people meet expectations otherwise because its one of the few perks I can give. But your post reeks of a single or few experiences. I've seen way too much of government at all different levels to believe I just have seen the exceptions time and time again. Also, you've missed the point of firing certain people. Certain people are not qualified for the job they are in. They don't have the grey matter or the desire or a bad attitude or all the above. When you ask a person that's a .net programmer if they application had a separate business layer and data layer and they can't tell you because they don't know what that means even though they wrote the app, and that happened to me a few months ago, it's not a good sign. And someone that you need to figure out why they don't know what they should know. Too much of government employees are fat resting the laurels of the few. And they cannot be easily fired at the fed level nor in most states unless they are management. It takes dedicated management which, surprise, is usually where they tuck the competent techs to get them the salaries needed to keep them around and have them focus on tech not management.

Re:Contractors

[BenEnglishAtHome]

A-76.

I could have gone all day without that blood pressure spike.

I don't want to be the lobbyist who gets A-76 killed. I want to be the guy who identifies those responsible, lines them up against a wall, and pulls the trigger.

(Calming down...already retired...don't have to endure it anymore...thinking happy thoughts...)

Re:Contractors

[emilper]

Government software should be created by government employees, not contractors.

All software should be written by employees who understand the domain where the software is supposed to be used.

FTFY

Best software is written by those that will also use it.

Re:Contractors

[nmr_andrew]

2. the wages aren't horrible. I could make 30% more in the private sector, but my benis are solid, and I like having a life.

100% this. A government job may not truly be 9-5 M-F but usually doesn't require insane amounts of overtime. I suppose it depends on how much you value a life outside of the job vs. the number on your paycheck. And the benefit package is usually very good, especially healthcare. Although most jobs now have a 401k equivalent and not pensions. Then again, government employees who aren't purely political are certainly not overpaid, despite what most of the public seems to think.

I also have to agree on the firing. The paperwork and documentation are a pain in the ass, but it's really not that hard to get rid of a bad employee for cause. My dad worked in state government and oversaw quite a number of disciplinary hearings. There was rarely a problem, so long as the supervisor bringing the grievance had all the ducks in a row, even for unionized employees.

I can attest to this

[Reverand+Dave]

I work for a government agency and I can swear this to be the absolute truth. I believe the reason to be a lot of politicking in management and not enough actual IT experience. No one wants to step on toes or else it might come back to bite you later when you need funds for a project so when user X asks for feature Y in software Z and there is no way it can be implemented without hacking together a mess of SQL query strings that may or may not work, well then you do it, because if you don't do it. User X may at one point be on a committee that can divert funds from your server or software upgrade budget.

Re:I can attest to this

[Carewolf]

So you can attest that government code quality is _SLIGHTLY_ more buggy than commercial code?? Notice the percentages, the wast majority of commercial code is complete crap too, the percentage is just _slightly_ higher for the government.

Your story is the same story everywhere. Nothing special for the government only more common.

Re:I can attest to this

[Baloroth]

So you can attest that government code quality is _SLIGHTLY_ more buggy than commercial code?? Notice the percentages, the wast majority of commercial code is complete crap too, the percentage is just _slightly_ higher for the government.

Financial web applications are 50% more likely than government one to be secure, and commercial software is almost double the government stuff. That isn't _slightly_ that is significantly. Yes, the vast majority of code everywhere sucks, the government just sucks considerably (not slightly) worse than regular business software.

Re:I can attest to this

Been using punctuation long?

Re:I can attest to this

Except NASA. Maybe the shuttle team needs to be repurposed to other areas needing development?

the shuttle software group is one of just four outfits in the world to win the coveted Level 5 ranking of the federal governments Software Engineering Institute (SEI)

Re:I can attest to this

I guess we disagree on this one. You can make up statistics all day, but in the end everyone gets 0wned. 72% ownable isn't really something you should be crowing about how the private sector is so much better.

Re:I can attest to this

[Carewolf]

That is a valid perspective. I just considered anything below 90% secure (and this is not real security checks, just a check for really common mistakes) as so bad it doesn't really matter.

Re:I can attest to this

[scot4875]

Financial web applications are 50% more likely than government one to be secure

50% more than not very likely is still only slightly more likely.

--Jeremy

Re:I can attest to this

[geekoid]

Did you read the report? no, of course you didn't. Unless you are explaining the code developed by the private sector for the government is marginal more buggy? And the the study is worth a damn.

I work for a government agency. You're whole description sound a hell of a lot more accurate to my experience in the private sector then the public sector.

Anecdotal experiences: Two Tales...

Private sector:
One time I got called on the carpet because I didn't list the names in my email address list in the 'appropriate order'. Putting a middle management person before the VP.. what nerve I have. I have many takes of correcting someone and being labels trouble maker. The financial sector sucks eggs.

Public sector:
Told a Bureaus head he was wrong, listed why. He Thanks me for speaking up and saving them from an expensive mistake.

Re:I can attest to this

[Reverand+Dave]

I don't know where you get the slightly part from. I think that the reason commercial code is crap is fairly similar, but there are far fewer excuses in an enterprise where the point is to make money in the end. We unfortunately don't have the pressure.

Re:I can attest to this

[PCM2]

I believe the reason to be a lot of politicking in management and not enough actual IT experience.

I think one reason for this might be high barrier to entry. A lot of government jobs might require a security clearance (even a low one). That rules out some qualified people. And then, there's a little bit of the attitude that they want you to have "experience in the public sector." There's a similar attitude at many nonprofits, where they want you to have worked at/with other nonprofits before. There's nothing really wrong with this per se, but the effect is that it's public sector experience first, IT experience second.

Re:I can attest to this

[oh_my_080980980]

Thank You! I run across this all the time. The private sector has it's own rules and regulations. Basically, it comes down to the people running the show. You can have well run government agencies the same way you can have poorly run corporations. It's the people that make the difference. This public versus private debate is pure crap.

Healthcare.exe, Waronterror.exe

This program has performed an illegal operation and must be shut down.

If the problem persists, contact the program vendor.

Yes.

[Cantide]

I was a software tester for the DoD and can confirm the stupidity here. (I can't really talk about the exact program but I can tell you with 100% certainty that it was mission critical.) We were contracted to run massive amounts of automated testing on the latest build of the software I was working on. Upon finding bugs, we needed to do regression testing... to decide if we would fix them in the latest build, because if they were present in previous versions we were under no obligation to do so unless specifically paid to do so.

Gov't should be ideal for secure, bug-free develop

[Iamthecheese]

There are industry-common metrics for good code.

With its focus on long-term outcomes, big budgets, and relatively stable personnel it seems to me non-outsourced government work would tend to produce better code.

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

The problem with these specific problems isn't with government but with improper requirements and possibly graft. These are much easier to fix on a local level than bad code in my not so humble opinion.

Laugh

[koan]

Obvious loop hole...
"and are even paid extra to fix their bugs after creating them."

Re:Laugh

[mcavic]

and are even paid extra to fix their bugs after creating them

There's no getting around that. Programmers have to eat too.

Re:Laugh

[ae1294]

There's no getting around that. Programmers have to eat too.

PERL programmers don't...

Hiring the cheapest competitor doesn't help either

[marcosdumay]

The rules for government aquisition don't help. As there isn't any usefull formal metric for software quality, it normaly must settle with the cheapest competitor whoever it is, however it works.

"even paid extra to fix their bugs after creating"

[SwashbucklingCowboy]

Reminds me of this Dilbert comic

Contractors

[betterunixthanunix]

My first though was, "Probably the work of contractors." Then I RTFA'd and had it confirmed:

That institutional insecurity, says Alan Paller, researcher director of the SANS Institute, is the result of a private contractor system that actually rewards insecure coding. âoeThe consequences for private sector software writers who write insecure code in commercial software is high costs for patching along with substantial embarrassment for their companies and job insecurity for them,â he says. âoeIn contrast, the consequences for private sector software writers who write insecure code for the government is contract add-ons to fix the problem, and more revenue for their companies and job security for them.â

We lack the expertise 2 program a complete program

[D4C5CE]

Die Expertise, ein gesamtes Programm zu programmieren, ist nicht vorhanden.

Spokesman of the German Home Office (BMI, in charge of the "Federal Trojan Horse" exposed by the CCC) at the Federal Press Conference 2011-10-12.

Not susprised at all

My first job was doing software for the federal government (mainly tools for tracking government property and assets and the nightmare of paperwork associated with them). It was _horrible_. It was a well paying job, great benefits, very relaxed (but political) environment .. but the atrocities committed to the art of software development combined with the painfully slow pace were unbearable.

Everything was always caught up in red tape. Requirements were always wrong, outdated, or both. In a lot of cases there was no clear time frame or end plan for software .. that shit would get figured out when/if the project was finished. And projects were often arbitrarily cancelled. Stuff that was finished and deployed often went unused for various reasons.

There was also an anti-change culture. Anything new was met with extreme resistance. Also there was this feeling that anything that improved our efficiency would decrease our staff. It wasn't entirely unfounded. Stuff was scheduled to take a certain amount of time. If it took less time, it wasn't like there was more work to fill in the holes.

And the code. Wow. I think it's part because the federal government has a lot of co-op/student programs .. and part because most programmers that care about software quality got the hell out of there (like I did) .. but the code that came out of my department was.. terrifying. Thankfully these were internal apps. Database queries involving multiple tables can be complicated.. but it's easy to put the same data in multiple tables! So just create multiple tables with the various data sets you need! Suggest a database view (at least half way to an ok solution) .. the DBA (yes, they had a DBA, a professional database guy, and he allowed this!) won't allow it (he won't reject it, he just offers to "look into it", which if you don't know is office politics for "nope!").

Ok I'm gonna stop and let my blood pressure come back down...

Yeah, well

[RPGillespie]

We're a heck of a lot better at writing secure code than the other animals

Re:Yeah, well

[Oswald+McWeany]

I disagree. My cat has NEVER written unsecure code.

Re:Yeah, well

[ae1294]

My cats code is also Perrrfect!

So what is everyone else's excuse?

[rudy_wayne]

By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

OK. So government contractor produce the shittiest code, due to a lack of accountability. However, the 34% rating for commercial software is absolutely horrible and inexcusable. Commercial software is almost twice as good, but twice as good shit is still shit.

Thats only the US Gov't

[Spy+Handler]

In some other countries, government employees are smart and work hard. In South Korea for instance the gov't software all run on IE6 activeX plugins and are rock-solid.

Blah

pretty good for government work.

Re:Gov't should be ideal for secure, bug-free deve

do you know what's lacking in the scenario you outlined, here, let me post again for those who weren't paying attention:

-long term outcomes = by the the time they're done, shit can the whole mess.

-big budgets = everyone is fat and happy, $800 wrenches, and $1500 toilet seats for everyone.

-relatively stable personnel = people's ass rooted to chairs. it's so fucking stable, you'll be hard pressed to find a pulse, much less a sense of urgency. ...it's not about finding the one thing that a government employee did well. One can always find a few examples of something done well.

But even in those cases, that are so rare, where the government did something well, it always falls on it's face when you factor in "how long did it take" (always wayyy too long), and "at what cost" (the costs are always ass raping with a drumstick. sideways.)

Interpret however you like

[djdanlib]

Wow, I just found out that I'm better at something than the government.

Re:Gov't should be ideal for secure, bug-free deve

[mykepredko]

Actually, the Government had just about nothing to do with the Space Shuttle code.

The group that did it was founded by IBM and has been passed around to a number of other vendors (I believe they have ended up at LockMart).

I'm not sure if this supports or discourages your point.

myke

There's more reasons for this

[Liquidrage]

1. Much of government is custom software. In the private world less so. Not that there aren't exceptions in either case, but my bank didn't write their own custom software for finances. In government it's almost always build over buy. It's much harder for the government to change policies to fit software when much of what they are writing software for is dictated by legislation.

2. Much of government software is written last minute to meet the demands of the people we've elected that in turn force government agencies to create something from nothing, usually without proper funding and usually with unrealistic deadlines.

3. Much of government software is written by inexperienced people. Contractors and government employees are rehashed from project to project even as technology changes.

I've worked public and private for 15 years now in tech and have seen it all. DoD, Federal, and State projects from both sides of the contract/public servant side. A lot of government software is written in locations with smaller workforces leading to hiring people that are just the best you can get, now what you should get. The deadlines for government projects are almost always unrealistic. The powers that be, and I mean the legislature at the state level and agency heads in Federal, and the commanders/Washington in DoD work, don't feel like there's a ROI on almost any project, it's just stuff they "have" to do, so they don't take into account doing it right. They shoestring a budget, or don't even have a budget, and use whatever resources they can find to get things done.

Most projects aren't even contracted out completely. Many are sure. But I'd say more are a mixture of public workforce and contract or just done but the public servants at hand already. And yes, the contracted out ones are usually the worse IMO because the reason they got the contract is they "knew" the right person and it's a milking of taxpayer money. I've taken over for two projects completely outsourced to very large multi-national contracting firms whose names everyone would recognize. Both were over 70 million contracts. And both were complete crap. The systems were disgusting. We didn't even get printed binders for taking over the maintenance on either. We got some word docs in a network folder, the documents created "after" development was completed. A hodgepodge of technologies and some really bad code. For 70+ million you'd think you'd at least get a Tech Writer on the project and some bound color copies from Kinkos. Nope.

Re:There's more reasons for this

Amen. Been there, done that. It's hard to imagine the incompetance and waste until you see if for yourself during a few projects. Not to mention the prima-donna attitudes that most big contractors have.

Re:There's more reasons for this

1. Legislated failure is still failure, and not doing something right because it's hard is not an acceptable reason for poor performance.

2. The last minute problem is definitely there.

3. There is definitely a lack of personal accountability, probably driven by the stringency of the background checks. The Gov doesn't have firing and lay offs like the private sector(non-contractor) does, which leads to marginally competent people working many of these failing projects. I sometimes joke that most DOD projects require a clearance and pulse, but in a pinch you can get a waiver for the pulse.

It's definitely true that the contractor incentives are not aligned well, but then again look at the people running these projects. Creative destruction is a necessity and in it's absence the Peter principle flourishes.

Re:There's more reasons for this

This has been my experience as well.

"It will cost you X and take Y time to do this properly."
"We don't have the time or the money. Get it done using much less. Just make an 'interim' system to make do"
"Every time we make an 'interim' system, it becomes a permanent one."
"Just get it done"
"OK, sigh."

Then fast forward 6 Months...

"So we designed the system and implemented it. Its not pretty but it works."
"Oh BTW the current political masters have made this a priority, and have changed all the business rules surrounding that system".
"You mean I have to alter it already? Well I guess we can draw up a requirements document and have some meetings with stakeholders..."
"No time for that, we need this in production, just make the changes."
Vendor makes a bunch of changes to a system they have no idea about and do little or not testing...

Last time I did testing on a contractors code I was left wondering how they are even aware that their code works, as NOTHING worked the way it should have. I'm not even talking "testing" here, simply running your code and observing if it works... I would then respond with all the errors, descriptions of each, including images, and the next drop would have one things fixed and 99 still broken. Repeat 100 more times. Baffled me to no end.

communism

[Lehk228]

Remember, if the government were to hire it's own developers to make government systems that would be communism and if those developers were allowed to unionize and put their foot down to halt a known bad release until it was correct and secure, that would be ultra-communism

Re:Hiring the cheapest competitor doesn't help eit

[mini+me]

I don't know about the US government, but I see things with my local government like: You need a degree in computer science to build a webpage. CS grads are generally not skilled in producing such works, so you end up either picking from the limited group of people who are, or more likely you choose someone who is not a good fit for the job and end up with poor results.

Re:Gov't should be ideal for secure, bug-free deve

[ColdWetDog]

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

That's it! Get rid of those nasty high level languages and get back to the bare metal with assembly. None of this new fangled junky stuff.

Kids these days. Never learn anything from their betters.

One other factor

Other contributors have mentioned good reasons for government code being less secure. I'm going to give another interpretation: sample bias.

How do you get a representative sample of industry code or government code? It's just not possible.

Sounds like they have little practical experience

[MikeRT]

Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them.

Ah yes, blame the contractors for everything. Ignore the fact that not that long ago, one of the highest ranking federal IT officers came out and basically confessed that most federal IT projects fail because most of the federal government doesn't even remotely handle requirements gathering properly. That's a nice way of saying they have a lot of money and don't know what they want to do with it, but damned if they're not going to blow it anyway before firmly figuring out what they need.

Re:Hiring the cheapest competitor doesn't help eit

There is a useful formal metric, maintenance cost. The lowest price including both development and maintenance for the entire anticipated lifespan of the product should be used, not just the development rate. Unfortunantly, that's too rational, odds are the not yet approved metric for software quality will be something like 'whatever uses more RAM.'

Different markets.

[MindStalker]

Government web applications are generally intended to Provide public information. 16% secure
Finance industry web applications are intended to transmit money the fact. 24% secure. The fact that this is less than twice as secure as web application that are generally informational only is frightening as heck.

Commercial applications are a mix of the two and come out to 28%. Strange.

Re:Sounds like they have little practical experien

[Liquidrage]

Of course now the government is switching to agile/scrum (as opposed to the prior methodology of OMFGRAD) en masse so that requirements are gathered on the fly/after the fact and collected on sticky notes and discussed for 10 minutes a day. Because hell, if you can't get good requirements might as well have a methodology that minimizes the need for them.

Of course, considering almost all government software is dictated by business logic and legislation and often rely on existing legacy systems that can't be easily changed, I don't think it's exactly wise. I gag every time the cafe-latte sipping PM's gush about switching over toe scrum on another project so I can spend twice as long building software because my requirements are even worse now. But hey, it has a catchy name, it must be good for government work. We're all so grown up now.

It's not like a can get a high level requirement that I need to capture user information and go build a user screen in the government world. Every freaking little detail is going to be exacted upon on a user screen with rules and laws (and legacy systems) dictating what I can and can't do what is and isn't there and how it interacts with other systems. It's not that agile/scrum is always bad. It's just a square peg in a round hole of current government in most cases.

Stuxnet was pretty solid though

On a more serious note, I wonder if this is related to all the disparate contractors actually writing the programs?

Re:Stuxnet was pretty solid though

[hemo_jr]

I see this as proof, positive that Stuxnet was not a U.S. government product.

Re:Stuxnet was pretty solid though

[Liquidrage]

In a way yes. A typical government project comes about by putting a team together for that project. It may be outsourced to a vendor, vendors bought in as staff aug, or done in house with existing IT resources. Or bought but that doesn't happen that often.

Now, since they're doing it as cheap as possible, maintenance is almost never factored in except on the biggest projects. The rest they just expect you to suck up with existing resources. And it's a one-off app so maintenance is as needed. Basically, once it's released (or the final release is put out considering a lot is done in iterrations) it's a dead system except when a bug is found. That accounts for the way a lot, but not all, government software is done. Which means, as opposed to a commercial package where a bug found by one customer and fixed by a support team can fix a bug for a 1000 customers, you're in your own fiefdom. Of course that hurts things. When you go to agency to agency, even within a single state or county, everything is done differently, looks differently, named differently. There are no true standards.

That said, almost every big consolidation effort in IT I've seen has failed miserably. Because by law/degree/legislation every single entity of government is so different and has such different rules to follow. Government is BIG. You're talking hundreds of thousands projects and developers and standardizing that is hard. It's a lot easier for Coke-a-Cola to standardize IT then it for all the soft drink makers to standardize IT practices. And government is like the latter x1000. And again, Coke-a-Cola's only going to do something that makes sense from a business standpoint and has a tangible ROI so they do it right to get that ROI (just an example, Coke IT might suck for all I know). Where as the government stuff almost never has an ROI, it's done because it's required to be done and isn't budgeted to be done, just required. With no ROI it's always just a "get it done" attitude. And a lot of stuff is done to make a politician happy so even though he has no idea what really should be done he has final say because he's going to use it to get favors with other politicians or to make a press release and use it for future votes.

Don't blame the contractors...

[retech]

At least not 100%. You can blame the many headed beast they have to answer to. With every dept. head feeling they have to justify their existence by exerting power in the form of conflicting demands. Also add to this rule sets for compliance that are decentralized and NOT overseen by people who know how to program (generally) but instead know how to be gov't administrators. So compliance will often mean having internal conflicts as to what an application can do.

This is really about government controls run a muck.

Part of the problem is the "do it cheap" mindset

from management and the customers. Unit testing, regression testing, QA, code reviews, proper design, refactoring once problems are found. These are all discouraged because "the customer wants it now" or "it's not in the contract". Also as others have mentioned, the hiring of essentially coding mercenaries (contractors) that do not stay with the company long-term and have no accountability or interest in long-term quality. Plus, it's cheaper (on paper at least) to hire a contractor at an hourly wage than an actual full-time software engineer.

Cost + Fixed Fee

[englishknnigits]

This is partially due to the Cost + Fixed Fee model which encourages companies to reinvent the wheel instead of developing and using stable, tested code bases. Spending more money grows your revenue and your company, being efficient and spending less money limits the growth potential of your company. The second major reason is they are married to outdated development practices like the Waterfall model and generally answering new/potentially better ideas with "No, that's not the way its done."

Government certification

Why is it such a hurdle to get software certified for government use when the government can't even write merely competent software?

Cost-plus

[Todd+Knarr]

Well, duh. Thanks to the rules (lobbied for by we-all-know-who), most government contracts are cost-plus: the contractor's paid the bid plus any additional costs that come up after the bid. With those terms the best approach is to low-ball the bid to insure you win it, do a shoddy job and then bill any time needed to fix the problems as an additional cost.

The fix is obvious: eliminate cost-plus. Make the standard terms fixed-cost: the contractor's paid the amount bid to deliver the goods as specified in the bid, and if they don't meet spec the contractor has to eat any costs needed to correct the deficiency. The only costs that're paid beyond the bid are those for changes the government requested after the bid was placed, and those costs are fixed before the changes are started. But the lobbyists for the big government contractors will fight that tooth and nail.

Re:Cost-plus

In 12 years of working in software development I can say without a doubt no one is ever happy with fixed cost projects. The customer feels they didn't get what they paid for and the developer feels they got killed with scope creep. What would be better is the ability to allow the people in charge of these projects to do business with companies that produce quality work and to choose not to do business with companies that produce crap. Obviously add in some oversight wrt kickbacks and favoritism. As it stands if you're the lowest bidder the government is legally obligated to use you, even if you've proven to be horrible to work with in the past.

Re:Cost-plus

[geekoid]

Many, not most. And for a great many of them it makes sense. Note: cost plus does not equal zero oversight. Just so you know.

Lets take a 5 year project on a piece of highway.

Seems pretty straight forward right?
Did you know the price of rock could double in that time period? or be cut ijn half? rock turns out to be more volatile then one would expect.

And that's just one component. IO unusually bad year can delay, fuel prices changes and so on.
Now, I know the media doesn't report this side of it, but sometime cost-plus has ended cheaper then estimated.

Eliminating cost plus will make thing more expense, and the results won't be any different.
Remember, we are talking about huge projects here. Many years. If you want a straight price bid, it means every bid would be 50% more then they are now, AND there would be more incentive for the contractor to screw you.

LOL

[SuperDre]

And to think that 90% of the software created by the government is actually created by commercial companies.. so the study is actually bogus...

Not the contractors fault.

Maybe the government just needs to add, "Must conform to X standard." in their contracts. If no standard is specified in the contract the contractor has no obligation to conform. This is an oversight by the government, not the contractor. What we need are knowledgeable people writing the contracts, not some bureaucrats buddy who donated some money and only knows how to write Hello World to a console..

Re:Not the contractors fault.

The European Commission have some standard for web publication (379 pages for the printed version). I still wait for 1 contractor to follow even the most basics lines of the standard. They all have said in their bid that they will follow it, but none fully delivered to that promise.

When i manage a contract for creating a new website, I squeeze the contractor until the last 'bug' is corrected. By bug I mean every deviation from the standard. But when a colleague is in charge of a project and in this project there is a paragraph saying that they should have a website. They write a contract to ask a contractor to do the job for the project and add a paragraph in that contract saying that the contractor should also create a website following the IPG. Then the contractor deliver... And generally what it deliver is a soup of HTML tags that look good on the screen but doesn't even pass without errors in an html validator. The collegue have done everything right, except he is unable to check the work of the contractor because he doesn't know anything about websites and the contractor know it.

uninstall

[profaneone]

/me uninstalls SELinux.

shit from suger

[Stonefish]

There are a couple of assumptions here which are actually validated. One is that all government code is outsourced, actually its not.
The fundamental problem here is that government agencies especially can't tell shit from suger in terms of the quality of their software.
Industry can't tell them either, I know from experience that Government already spends enormous sums of money on processes which are meant to make software better, guess what? It doesn't work.
Government agencies (and staff promotions) are measured by inputs rather than outputs, ie how much they spend rather than what they produce, until this changes government software will be shit.

Re:shit from suger

[geekoid]

" One is that all government code is outsourced, actually its not.
um, no most of it is. And in my experience, at the end of the day it's more expensive then keeping staff on hand.

Interesting, Me experience is quite the opposite. Results make the next position you apply for more likely to look at you.
When you can get shit down,l people know and don't hire you, and eventual you position will be cut.

Security vulns are not bugs

[onebeaumond]

Veracode isn't offering to fix "buggy" code, they're selling "cyber terror" fixes.

The software in question usually called "laws."

[gestalt_n_pepper]

Conceived by unaccountable committees. No independent cost/benefit analysis, no human factors or usability analysis. No testing prior to rollout. Spotty or no technical support. No GAAP accounting to see if the software saved money or accomplished stated goals. No money back guarantee and many of the developers leave the company every four years.

Outsourcing, all around

[mbessey]

It's likely that the percentage of outsourced projects tracks the prevalence of security problems. Certainly, the government has a very high level of outsourced vs in-house development. I think that financial institutions also tend to largely outsource (especially customer-facing) development.

Bad metrics all around

[minstrelmike]

None of those percentages 16-28% sound very good to me.
The reason the govt is the worst is what others mentioned--too many cooks spoiling the broth.
The Department of Homeland Security consists of 22 separate Agencies that report to 88 different Congressional committees.That last sentence is a problem statement in my opinion.

Re:Bad metrics all around

[geekoid]

Instead of agreeing because it confirms to your bias, look at where this 'study; comes from.

And the divsion of responsibilities in a government agency's is a strength, not a flaw.

Not only the US government

[tsa]

Our (Dutch) police have a new computer system that is so bad the consensus is now to abandon it and start again from scratch. It has cost lots of hundreds of millions of euros.

Re:Not only the US government

[tsa]

Replying to myself I know, but I forgot the other debacle: our new train ticket system which is very buggy, insecure and has also cost loads of taxpayer's money.

Re:Not only the US government

If only our bright folks at the ministry of transportation would have looked at other cities around the world with public transportation and RFID, they wouldn't have had to reinvent the wheel. (..again) And why does every transport company use different readers? No wonder it's buggy as hell. I'm surprised it even works. Barely.

Study Shows Increased Sales For Veracode

[sweatyboatman]

This isn't a study.

This is a press release declaring that everyone who is not already their client has a desperate need for Veracode's services. No different than when Norton sends out a "study" that shows how terribly dangerous the internet is or how much malware exists for smartphones.

This just sounds like they're angling to get themselves some more government business. And you know, kudos for them.

LOL

[nthwaver]

Goverment are faget asshole too busy sucking gay faget cock to write good codes. We need to get rid of goverment and set up constitutional anarchy and send all the fagets away to France or some other faget country.

You'd be surprised how much software from all business models is written by queer folk! Microsoft actually lobbies the state of Washington for gender-neutral marriage so that they can poach more gay programmers. Google does the same. Your OS, browser and phone were probably designed by fagets. The field of computer science was founded by Alan Turing, an internationally infamous faget. Face it dude, queers are too smart and useful, you'll never get rid of us.

Re:Gov't should be ideal for secure, bug-free deve

[Tridus]

Contractors don't care about that stuff. They're there to build something as quickly as possible that meets the minimum spec so they get paid. Bugs just mean future work.

insecure = buggy?

since when? buggy = insecure, I might agree with, but the fact that gov code did not score high on some arbitrary web security standards (not the ones that the contractors were being paid to implement, does not mean the code was buggy.

There's a number of reasons for this

[Tridus]

Governments are prone to several problems that cause serious problems with program quality. Speaking as a government programmer, starting with the biggest problem:

1. Consultants. Anytime you have someone external come in and build the code, they don't know anything about the business. They build whatever the spec is (hopefully). In my experience in government, specs are usually very bad at explaining what the users actually need. You need to understand the business in question pretty well to do that. Someone who actually understands how Environmental Inspection & Enforcement is done will be able to write a better program to do it then some guy who is just reading what a word doc says to build, because the first person has the knowledge to know when the spec is wrong.

And that's on a good day. Then you get the consultants who use crappy obsolete technology to throw stuff out quickly, hoping to get more money to fix it later. It won't integrate with anything else, because other consultants did that. When it needs changes because of legislative changes to the business put in by the politicians, nobody is going to know how to change it. It's an expensive and ineffecient model.

Whenever you hear about a $300 million system that didn't work, the odds are good a lot of consultants were involved.

2. Scope creep. Governments are infamous for this. They say we're going to do X. Then another branch jumps in later, now we're doing Y. Then another one. Oh, then there is a department merger and we need it to also work for some other department. Then there's an election and the priorities all changed. Good luck keeping up with that. It's made even worse if you're trying to do the project as one giant release that's all things to all people.

What governments need to do in order to deal with this inevitable problem is split projects up into phases and deliver smaller pieces. It's a lot better to get the first piece out there and in use in a relatively short timeframe then it is to try and build the entire mega-solution at once.

3. It's easy for government employees to become insular, because government is different from the rest of the industry. It's a trap to fall into where you don't keep up with what's new and changing just because you don't particularly need to. Given enough time, skills can become lax and obsolete. It's something that can be dealt with, but employees have to be encouraged to keep learning.

Yet another flawed studiy

[geekoid]

where the p[people don't realize the 'government' isn't one group, one set of funds, or one set of guideline.

Oh wait? they sell a product? and don't release the details of said study? Maybe they do understand why a general grab at the generic label 'Government' makes for a misleading results.

Re:Hiring the cheapest competitor doesn't help eit

[geekoid]

No it isn't. Please stop spreading your crap on everyone's toast.

Re:Hiring the cheapest competitor doesn't help eit

[geekoid]

That speaks volumes to your CS grads....

WYSIWYG (what you sign is what you get)

[Eponymous+Hero]

and are even paid extra to fix their bugs after creating them.

this is the standard procedure when you, the client, approve work without kicking the tires. obviously there are some exceptional situations, and some legalese is required. if you don't want to pay for bugs to get fixed, either don't approve them or get a warranty. nobody writes bug-free code, that's a myth inherent in non-programmers. but on the whole, if you buy something without warranty, you get what you get. that's the whole point of charging extra for warranties.

if i'm a landscaper and i plant the trees you want me to plant, and later you find out they give you allergies, i'm not pulling the trees out for free. nor will i take shit off you for not knowing you're allergic. there are other analogies you could use to try to disprove me. my analogy doesn't prove me correct, but i believe i am and it helps illustrate why.

NOT Confirms.

[Atzanteol]

Concludes, not confirms. Studies do not confirm anything (unless done by Netcraft).

Re:Hiring the cheapest competitor doesn't help eit

[Dragonslicer]

That speaks volumes to your CS grads....

You mean how they aren't all expert web designers (distinct from web developers, i.e. programmers)? I have a computer science degree, and web design is far from a strength for me. I can create a web page that someone gives me a drawing for, but creating that drawing isn't something that all, or even most, computer science graduates are good at.

Govt Software

[deciduousness]

The slight difference in percentages really surprised me. Somehow I expected better of the private sector.

I have seen quite a few "Government" built software applications. 40% of the time it is a single person or kid just out of college with no or not much experience that works in that group and was asked to create it because they have programming experience on their resume. Another 40% of the time it is someone who bid low on it and is frantically posting to forums and groups asking for help with their work because they really don't know what they are doing. With these first two you can also add in that the application was created in DOS and now runs in a emulator on a winME system.

It looks like the remaining 15-20% may actually know what they are doing.

Re:Hiring the cheapest competitor doesn't help eit

[neonv]

Being in the defense industry, it matters how the software works. It has to perform well, be easy to use, and THEN costs are considered. Producing bad software also means no future contracts. The government doesn't throw contracts to anyone who says they can make something cheaply, they have to show competence, produce a cost schedule, and a detailed architecture plan. The government has lots of standards for software, depending on the area the software covers. The software industry also has standards that the government uses.

Bottom line, the government picks contracts based on performance, quality, and cost. Stop stereotyping contractors into a big group of slackers that produce crap.

Re:Gov't should be ideal for secure, bug-free deve

[Brian+Feldman]

That's not true. There are poor developers in contracting, but most of the time the failure is within the communication between the people who will be the end-users and the people who will be implementing products. Developers can't anticipate every use of a software.

Which is quite funny

[gelfling]

Because as anyone who's ever had to engage the government on any outsourcing or code maintenance deal knows that the government's list of security 'requirements', application testing criteria, security and encryption demands, documentation standards, SLA's and standards compliance stretches from here to the fucking moon making regulatory and audit compliance insanely expensive and almost guaranteed to fail.

Re:Hiring the cheapest competitor doesn't help eit

I would be quite sad to be a CS graduate that came out of the program skilled in a specific technology as a result of the schooling. Passing knowledge gained through the demonstration of theory, sure, but that is far from expert knowledge of an application-specific domain. That only comes with experience, and you don't want to be wasting your precious school time with that.

Except, once you have experience, you are sought after in hopes you can duplicate what you've done in the past. You are no longer a CS graduate, you are someone who has done great things with technology X, who may or may not be a CS graduate on the side.

To seek a CS graduate, specifically, for a job of application, says that you are looking for a bright mind that is new to the game that you can mould to your specific technology stack. Nothing wrong with that. We continually need new blood in the game so that they can become experts in the future. However, they are not skilled with your specific technology yet. You are going to have trouble if you expect them to hit the ground running.

So, the problem with government hiring, through my observation, is that they often seek a CS graduate when they really want an expert. It should come as no surprise that you are going to find poor results if you ask for the wrong thing in the first place.

Incorrect title

[Zoxed]

I know that Slashdot has just copied the article title, but it seems incorrect:

- The article only seems to discuss security: this is only one class of bug.
- Surely a bug is a mismatch between the requirements and the implementation. If certain security criteria are not required, then it is not a bug if they are not met !

I suggest the title should be more like "Study Confirms The Government Produces The Least Secure Software".

Re:Hiring the cheapest competitor doesn't help eit

[omnichad]

Have you ever seen a mostly-technical person try to design things? Obviously, if they have a clue about UI design they can at least follow web conventions for structure, but....they don't know what isn't ugly:
Example: Illinois Department of Financial & Professional Regulation

Re:Gov't should be ideal for secure, bug-free deve

[bill_mcgonigle]

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

And probably the most expensive software per line of code ever written (that delivered, of course).

Most software shouldn't be that good (at least until we know how to prove software automatically). Better to cure malaria than make perfect timeclock software for the park police.