Study Confirms the Government Produces the Buggiest Software

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

Hah! See?

[No,+I+am+Spratacus!]

And you thought it was Microsoft...

Re:Hah! See?

[Jeremiah+Cornelius]

Private contactors, low-bidding, on the public's dime.

"We'll be here forever, boys. No need to get it right the first time."

Re:Hah! See?

[zephvark]

I think the problem is more that no decent programmer is going to be willing to work for the government. Working for the government or a highly-regulated industry means conforming to any number of pointless and horrible rules, created by people who have no idea what they're doing. It's soul-crushing, and no one would do it if they could possibly get a job elsewhere.

I recently helped a major bank update some of its internal software from 1980s QuickBASIC code (!) so it could run on Windows (!!)... it was badly-written stuff, with line numbers, sections of code that could never be reached, floating point equality comparisons that might not match, and other egregious flaws. In banking software that's been used for decades. Their email policy filtered out .BAS files, because the email administrator apparently confused .BAS files with VBscript, so I had to change the file extensions... until it turned out that their policy prohibited sending any source code "electronically", so I had to FAX print-outs for them to type in.

Of course their programmers were incompetent. Who would work in an environment like that?

That's because there's no profit motive.

[MyFirstNameIsPaul]

Duh.

Re:That's because there's no profit motive.

On the contrary. Profit motive is exactly what caused this problem.
Contractors, motivated to get the greatest revenue for the least cost (time, effort, materials, whatever), created crap software. Since they don't suffer from producing crap software, they were simply working in their own (narrow view) best interest.

Perhaps if you were to hire employees that had motive to ensure the long term success of of a project (recognition, keeping your job) you'd get better results..

Re:That's because there's no profit motive.

[MightyYar]

So draft the contract such that the government (or some agent of the government... another bidder?) gets to report bugs and the service is not complete until the bugs are gone. Sure the bids will cost more, but it seems like an easy way to solve this particular problem.

Re:That's because there's no profit motive.

[Vaphell]

when both sides of the deal look after their interests, results tend to be a good bang for the buck spent. Government has no vested interest in getting a good deal and because of that it pretty much asks for being milked dry. On top of that the waste more often than not is rewarded with even more money in next year's budget.

Re:That's because there's no profit motive.

[skids]

Actually initial attitudes come into play here as well.

If there's a bagel shop that is owned by a guy who only catches 15% of shoplifters, and one which is owned by a guy who catches 25% of shoplifters, but the second guy has a reputation for getting his bagels lifted, shoplifters will go to the second guys shop preferentially, and he'll have more bagels shoplifted despite his vigilance.

As long as there is a general attitude that government == "cash cow" among the private contracting sector, whether or not the government gets better at holding contractors accountable, they will still be victimized more. If contractors suddenly changed their stripes and demonstrate some patriotism, the story would be entirely different.

Re:That's because there's no profit motive.

[El+Torico]

The profit motive is part of it, but only a part. Usually, the customer has undefined or poorly defined requirements and grossly incompetent management. I was once part of a program in which the government representative refused to provide the security standards and criteria that the system would be judged upon. We had conflicting standards to reconcile and every request for guidance or additional information was ignored.
That was only part of the problem. The network design was provided by the government and it was a complete mess; we couldn't change it either.

Contractors

Unfortunately, all the outsourcing going on in the Government (because it's easier to get money for a contract than to hire a developer on a permanent basis) is what's really killing the code here. Most outsourcing firms have a "throw the code over the wall" attitude, and spend more time deflecting blame for bugs than trying to fix them. I can't think of a business where there's less accountability than Government contracting, except possibly foreclosure management....

Re:Contractors

[BenEnglishAtHome]

I just retired from a long IT career with a fed TLA.

In all that time, there were two projects that stood out in my mind the most.

For the first one, a division needed software to automate their primary tasks. If such software could be implemented, it would essentially be where 20,000 people a day spent all their time and brought in billions of dollars. The solution they decided on was to survey the end users who were tired of doing everything on paper, find the ones who were the acknowledged computer geeks, then let them design and write the program. They actually turned field civil law enforcement officers into SAs and analysts and coders and let them build what they needed. It took years but when it was done, it was a thing of functional beauty. Actually, it was ugly as hell but it so perfectly met the needs of the field officers that I know of several who actually delayed their retirements so they could spend more time doing a job that was fun again because all the drudgery had been automated away.

Most. Successful. Project. Ever.

The other one I remember was the same sort of thing, a program that some 70,000 would spend all their time in. It was buggy from the start. The people who had to use it hated it. Every upgrade broke reports from the previous version. It was, obviously, done by contractors. At one point, development halted for almost 18 months because someone dropped a dime on the contract developer and their entire staff of Indian programmers with expired visas had to pack up and go back to Asia. The contractor folded up shop and getting another to step in, untangle the mess, and start moving forward was a royal pain.

My point?

Sometimes, coder skill is meaningless. If you have developers and architects and all those other job titles involved in software development who actually work for the government because, at least in part, they are proud to serve their country...then you get better software.

Government software should be created by government employees, not contractors.

Now I'll go back to my place in the 1950s, where I'm sure many of you will say I belong.

Re:Contractors

[Liquidrage]

100% no doubt. I've said time and time again I can fix a lot of state IT if I could do two things:
1. Fire people like it was the private sector
2. Pay competitive wages for new hires

What a lot of people don't realize about the gov, especially in IT, is if you take any 5 gov IT employees 2 are underpaid worthless cretins that should lose their job but the manager doesn't have 40 hours a week just to document their deficiencies because he/she is actually working. 2 are making what they're worth but are underskilled for the job and the pay reflects that, and one's a complete stud vastly underpaid and doing hero work to make sure things run. Obviously those numbers aren't exact science, but it's like that in a lot of places.

Re:Contractors

[f97tosc]

I think in general it is very difficult to have two groups of separate people, one who understands the problems, and another who understands how to write code.

IN theory you let the users write down a list of specifications, but it rarely works into problems. You always run into trade-offs and conflicts involving functionality vs complexity for example, only somebody who understands both the software and the problem situation can resolve this well.

I agree with you that the best solution is to have the users learn how to code, or possibly let the coders learn how to run the business. Unfortunately I think it is rare to find the right combination of talent. And certainly users without coding talent are not going to declare themselves incompetent to manage in business with increasing software content. And coders are all too comfortable letting somebody else specify what to code and not taking ownership for a product that actually adds value.

Re:Contractors

[Tridus]

You're absolutely right. I work as a programmer for the government and I see the same thing. The stuff that's built in house by any department (not just ours, but I think we do good work) tends to be better. We don't get paid extra to fix bugs - we just get unhappy users and lousy performance reviews for having lots of bugs. As part of the department we actually learn the business and can thus do a better job.

The stuff made by contractors is made to specification, if you're lucky. The problem is that the specification is usually wrong, because non-technical users don't have a clear grasp on what it is they actually need. The successful projects are very much iterative ones, because as soon as you give users something they'll be coming back with changes and new requests and other business areas will be impacted. It's inevitable.

The contractor model is great to make the friends of politicans a lot of money. It's a failure if you want good software.

Re:Contractors

[geekoid]

1. See, that's the PROBLEM with the private sector. One you can just fire people, you end up with an entrenched attitude of 'Do what I say or else'. Which is fine for a genius like you, but mostly you end up with a high turn over rate.

Making it difficult mean people can speak up. They can tell a bureau chief why they are wrong and not get fired. THIS is what bring quality, depth of knowledge, and honest opinions and view out into the open.

Contrary to what a lot of people thing, it isn't impossible to fire someone. It make take time, becasue they treat their employees like that are human beings

2. the wages aren't horrible. I could make 30% more in the private sector, but my benis are solid, and I like having a life.

The rest of your post is just ignorant. I've seen peopel get fired. It went like this

1) Bad review with detailed list of whats wrong* I've seen people change the work attitude at this point and become better employees.

2) Verbal warning after 3 months. *again,. seen poeple change at this point

3) written warning - never seen anyone recover from here

4) out the door. 3-6 months, and this includes union.

What really helps is the 9 months grace period. Frankly, if you are lazy, you won't make it 9 months without the become obvious.

Re:Contractors

[BenEnglishAtHome]

A-76.

I could have gone all day without that blood pressure spike.

I don't want to be the lobbyist who gets A-76 killed. I want to be the guy who identifies those responsible, lines them up against a wall, and pulls the trigger.

(Calming down...already retired...don't have to endure it anymore...thinking happy thoughts...)

I can attest to this

[Reverand+Dave]

I work for a government agency and I can swear this to be the absolute truth. I believe the reason to be a lot of politicking in management and not enough actual IT experience. No one wants to step on toes or else it might come back to bite you later when you need funds for a project so when user X asks for feature Y in software Z and there is no way it can be implemented without hacking together a mess of SQL query strings that may or may not work, well then you do it, because if you don't do it. User X may at one point be on a committee that can divert funds from your server or software upgrade budget.

Re:I can attest to this

[scot4875]

Financial web applications are 50% more likely than government one to be secure

50% more than not very likely is still only slightly more likely.

--Jeremy

Re:I can attest to this

[geekoid]

Did you read the report? no, of course you didn't. Unless you are explaining the code developed by the private sector for the government is marginal more buggy? And the the study is worth a damn.

I work for a government agency. You're whole description sound a hell of a lot more accurate to my experience in the private sector then the public sector.

Anecdotal experiences: Two Tales...

Private sector:
One time I got called on the carpet because I didn't list the names in my email address list in the 'appropriate order'. Putting a middle management person before the VP.. what nerve I have. I have many takes of correcting someone and being labels trouble maker. The financial sector sucks eggs.

Public sector:
Told a Bureaus head he was wrong, listed why. He Thanks me for speaking up and saving them from an expensive mistake.

Re:I can attest to this

[PCM2]

I believe the reason to be a lot of politicking in management and not enough actual IT experience.

I think one reason for this might be high barrier to entry. A lot of government jobs might require a security clearance (even a low one). That rules out some qualified people. And then, there's a little bit of the attitude that they want you to have "experience in the public sector." There's a similar attitude at many nonprofits, where they want you to have worked at/with other nonprofits before. There's nothing really wrong with this per se, but the effect is that it's public sector experience first, IT experience second.

Yes.

[Cantide]

I was a software tester for the DoD and can confirm the stupidity here. (I can't really talk about the exact program but I can tell you with 100% certainty that it was mission critical.) We were contracted to run massive amounts of automated testing on the latest build of the software I was working on. Upon finding bugs, we needed to do regression testing... to decide if we would fix them in the latest build, because if they were present in previous versions we were under no obligation to do so unless specifically paid to do so.

Gov't should be ideal for secure, bug-free develop

[Iamthecheese]

There are industry-common metrics for good code.

With its focus on long-term outcomes, big budgets, and relatively stable personnel it seems to me non-outsourced government work would tend to produce better code.

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

The problem with these specific problems isn't with government but with improper requirements and possibly graft. These are much easier to fix on a local level than bad code in my not so humble opinion.

Laugh

[koan]

Obvious loop hole...
"and are even paid extra to fix their bugs after creating them."

Re:Laugh

[mcavic]

and are even paid extra to fix their bugs after creating them

There's no getting around that. Programmers have to eat too.

Hiring the cheapest competitor doesn't help either

[marcosdumay]

The rules for government aquisition don't help. As there isn't any usefull formal metric for software quality, it normaly must settle with the cheapest competitor whoever it is, however it works.

"even paid extra to fix their bugs after creating"

[SwashbucklingCowboy]

Reminds me of this Dilbert comic

Contractors

[betterunixthanunix]

My first though was, "Probably the work of contractors." Then I RTFA'd and had it confirmed:

That institutional insecurity, says Alan Paller, researcher director of the SANS Institute, is the result of a private contractor system that actually rewards insecure coding. âoeThe consequences for private sector software writers who write insecure code in commercial software is high costs for patching along with substantial embarrassment for their companies and job insecurity for them,â he says. âoeIn contrast, the consequences for private sector software writers who write insecure code for the government is contract add-ons to fix the problem, and more revenue for their companies and job security for them.â

We lack the expertise 2 program a complete program

[D4C5CE]

Die Expertise, ein gesamtes Programm zu programmieren, ist nicht vorhanden.

Spokesman of the German Home Office (BMI, in charge of the "Federal Trojan Horse" exposed by the CCC) at the Federal Press Conference 2011-10-12.

Not susprised at all

My first job was doing software for the federal government (mainly tools for tracking government property and assets and the nightmare of paperwork associated with them). It was _horrible_. It was a well paying job, great benefits, very relaxed (but political) environment .. but the atrocities committed to the art of software development combined with the painfully slow pace were unbearable.

Everything was always caught up in red tape. Requirements were always wrong, outdated, or both. In a lot of cases there was no clear time frame or end plan for software .. that shit would get figured out when/if the project was finished. And projects were often arbitrarily cancelled. Stuff that was finished and deployed often went unused for various reasons.

There was also an anti-change culture. Anything new was met with extreme resistance. Also there was this feeling that anything that improved our efficiency would decrease our staff. It wasn't entirely unfounded. Stuff was scheduled to take a certain amount of time. If it took less time, it wasn't like there was more work to fill in the holes.

And the code. Wow. I think it's part because the federal government has a lot of co-op/student programs .. and part because most programmers that care about software quality got the hell out of there (like I did) .. but the code that came out of my department was.. terrifying. Thankfully these were internal apps. Database queries involving multiple tables can be complicated.. but it's easy to put the same data in multiple tables! So just create multiple tables with the various data sets you need! Suggest a database view (at least half way to an ok solution) .. the DBA (yes, they had a DBA, a professional database guy, and he allowed this!) won't allow it (he won't reject it, he just offers to "look into it", which if you don't know is office politics for "nope!").

Ok I'm gonna stop and let my blood pressure come back down...

So what is everyone else's excuse?

[rudy_wayne]

By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

OK. So government contractor produce the shittiest code, due to a lack of accountability. However, the 34% rating for commercial software is absolutely horrible and inexcusable. Commercial software is almost twice as good, but twice as good shit is still shit.

Thats only the US Gov't

[Spy+Handler]

In some other countries, government employees are smart and work hard. In South Korea for instance the gov't software all run on IE6 activeX plugins and are rock-solid.

Re:Gov't should be ideal for secure, bug-free deve

[mykepredko]

Actually, the Government had just about nothing to do with the Space Shuttle code.

The group that did it was founded by IBM and has been passed around to a number of other vendors (I believe they have ended up at LockMart).

I'm not sure if this supports or discourages your point.

myke

There's more reasons for this

[Liquidrage]

1. Much of government is custom software. In the private world less so. Not that there aren't exceptions in either case, but my bank didn't write their own custom software for finances. In government it's almost always build over buy. It's much harder for the government to change policies to fit software when much of what they are writing software for is dictated by legislation.

2. Much of government software is written last minute to meet the demands of the people we've elected that in turn force government agencies to create something from nothing, usually without proper funding and usually with unrealistic deadlines.

3. Much of government software is written by inexperienced people. Contractors and government employees are rehashed from project to project even as technology changes.

I've worked public and private for 15 years now in tech and have seen it all. DoD, Federal, and State projects from both sides of the contract/public servant side. A lot of government software is written in locations with smaller workforces leading to hiring people that are just the best you can get, now what you should get. The deadlines for government projects are almost always unrealistic. The powers that be, and I mean the legislature at the state level and agency heads in Federal, and the commanders/Washington in DoD work, don't feel like there's a ROI on almost any project, it's just stuff they "have" to do, so they don't take into account doing it right. They shoestring a budget, or don't even have a budget, and use whatever resources they can find to get things done.

Most projects aren't even contracted out completely. Many are sure. But I'd say more are a mixture of public workforce and contract or just done but the public servants at hand already. And yes, the contracted out ones are usually the worse IMO because the reason they got the contract is they "knew" the right person and it's a milking of taxpayer money. I've taken over for two projects completely outsourced to very large multi-national contracting firms whose names everyone would recognize. Both were over 70 million contracts. And both were complete crap. The systems were disgusting. We didn't even get printed binders for taking over the maintenance on either. We got some word docs in a network folder, the documents created "after" development was completed. A hodgepodge of technologies and some really bad code. For 70+ million you'd think you'd at least get a Tech Writer on the project and some bound color copies from Kinkos. Nope.

Re:Gov't should be ideal for secure, bug-free deve

[ColdWetDog]

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

That's it! Get rid of those nasty high level languages and get back to the bare metal with assembly. None of this new fangled junky stuff.

Kids these days. Never learn anything from their betters.

Different markets.

[MindStalker]

Government web applications are generally intended to Provide public information. 16% secure
Finance industry web applications are intended to transmit money the fact. 24% secure. The fact that this is less than twice as secure as web application that are generally informational only is frightening as heck.

Commercial applications are a mix of the two and come out to 28%. Strange.

Re:Sounds like they have little practical experien

[Liquidrage]

Of course now the government is switching to agile/scrum (as opposed to the prior methodology of OMFGRAD) en masse so that requirements are gathered on the fly/after the fact and collected on sticky notes and discussed for 10 minutes a day. Because hell, if you can't get good requirements might as well have a methodology that minimizes the need for them.

Of course, considering almost all government software is dictated by business logic and legislation and often rely on existing legacy systems that can't be easily changed, I don't think it's exactly wise. I gag every time the cafe-latte sipping PM's gush about switching over toe scrum on another project so I can spend twice as long building software because my requirements are even worse now. But hey, it has a catchy name, it must be good for government work. We're all so grown up now.

It's not like a can get a high level requirement that I need to capture user information and go build a user screen in the government world. Every freaking little detail is going to be exacted upon on a user screen with rules and laws (and legacy systems) dictating what I can and can't do what is and isn't there and how it interacts with other systems. It's not that agile/scrum is always bad. It's just a square peg in a round hole of current government in most cases.

Don't blame the contractors...

[retech]

At least not 100%. You can blame the many headed beast they have to answer to. With every dept. head feeling they have to justify their existence by exerting power in the form of conflicting demands. Also add to this rule sets for compliance that are decentralized and NOT overseen by people who know how to program (generally) but instead know how to be gov't administrators. So compliance will often mean having internal conflicts as to what an application can do.

This is really about government controls run a muck.

Re:Stuxnet was pretty solid though

[Liquidrage]

In a way yes. A typical government project comes about by putting a team together for that project. It may be outsourced to a vendor, vendors bought in as staff aug, or done in house with existing IT resources. Or bought but that doesn't happen that often.

Now, since they're doing it as cheap as possible, maintenance is almost never factored in except on the biggest projects. The rest they just expect you to suck up with existing resources. And it's a one-off app so maintenance is as needed. Basically, once it's released (or the final release is put out considering a lot is done in iterrations) it's a dead system except when a bug is found. That accounts for the way a lot, but not all, government software is done. Which means, as opposed to a commercial package where a bug found by one customer and fixed by a support team can fix a bug for a 1000 customers, you're in your own fiefdom. Of course that hurts things. When you go to agency to agency, even within a single state or county, everything is done differently, looks differently, named differently. There are no true standards.

That said, almost every big consolidation effort in IT I've seen has failed miserably. Because by law/degree/legislation every single entity of government is so different and has such different rules to follow. Government is BIG. You're talking hundreds of thousands projects and developers and standardizing that is hard. It's a lot easier for Coke-a-Cola to standardize IT then it for all the soft drink makers to standardize IT practices. And government is like the latter x1000. And again, Coke-a-Cola's only going to do something that makes sense from a business standpoint and has a tangible ROI so they do it right to get that ROI (just an example, Coke IT might suck for all I know). Where as the government stuff almost never has an ROI, it's done because it's required to be done and isn't budgeted to be done, just required. With no ROI it's always just a "get it done" attitude. And a lot of stuff is done to make a politician happy so even though he has no idea what really should be done he has final say because he's going to use it to get favors with other politicians or to make a press release and use it for future votes.

shit from suger

[Stonefish]

There are a couple of assumptions here which are actually validated. One is that all government code is outsourced, actually its not.
The fundamental problem here is that government agencies especially can't tell shit from suger in terms of the quality of their software.
Industry can't tell them either, I know from experience that Government already spends enormous sums of money on processes which are meant to make software better, guess what? It doesn't work.
Government agencies (and staff promotions) are measured by inputs rather than outputs, ie how much they spend rather than what they produce, until this changes government software will be shit.

Outsourcing, all around

[mbessey]

It's likely that the percentage of outsourced projects tracks the prevalence of security problems. Certainly, the government has a very high level of outsourced vs in-house development. I think that financial institutions also tend to largely outsource (especially customer-facing) development.

Study Shows Increased Sales For Veracode

[sweatyboatman]

This isn't a study.

This is a press release declaring that everyone who is not already their client has a desperate need for Veracode's services. No different than when Norton sends out a "study" that shows how terribly dangerous the internet is or how much malware exists for smartphones.

This just sounds like they're angling to get themselves some more government business. And you know, kudos for them.

LOL

[nthwaver]

Goverment are faget asshole too busy sucking gay faget cock to write good codes. We need to get rid of goverment and set up constitutional anarchy and send all the fagets away to France or some other faget country.

You'd be surprised how much software from all business models is written by queer folk! Microsoft actually lobbies the state of Washington for gender-neutral marriage so that they can poach more gay programmers. Google does the same. Your OS, browser and phone were probably designed by fagets. The field of computer science was founded by Alan Turing, an internationally infamous faget. Face it dude, queers are too smart and useful, you'll never get rid of us.

There's a number of reasons for this

[Tridus]

Governments are prone to several problems that cause serious problems with program quality. Speaking as a government programmer, starting with the biggest problem:

1. Consultants. Anytime you have someone external come in and build the code, they don't know anything about the business. They build whatever the spec is (hopefully). In my experience in government, specs are usually very bad at explaining what the users actually need. You need to understand the business in question pretty well to do that. Someone who actually understands how Environmental Inspection & Enforcement is done will be able to write a better program to do it then some guy who is just reading what a word doc says to build, because the first person has the knowledge to know when the spec is wrong.

And that's on a good day. Then you get the consultants who use crappy obsolete technology to throw stuff out quickly, hoping to get more money to fix it later. It won't integrate with anything else, because other consultants did that. When it needs changes because of legislative changes to the business put in by the politicians, nobody is going to know how to change it. It's an expensive and ineffecient model.

Whenever you hear about a $300 million system that didn't work, the odds are good a lot of consultants were involved.

2. Scope creep. Governments are infamous for this. They say we're going to do X. Then another branch jumps in later, now we're doing Y. Then another one. Oh, then there is a department merger and we need it to also work for some other department. Then there's an election and the priorities all changed. Good luck keeping up with that. It's made even worse if you're trying to do the project as one giant release that's all things to all people.

What governments need to do in order to deal with this inevitable problem is split projects up into phases and deliver smaller pieces. It's a lot better to get the first piece out there and in use in a relatively short timeframe then it is to try and build the entire mega-solution at once.

3. It's easy for government employees to become insular, because government is different from the rest of the industry. It's a trap to fall into where you don't keep up with what's new and changing just because you don't particularly need to. Given enough time, skills can become lax and obsolete. It's something that can be dealt with, but employees have to be encouraged to keep learning.

Yet another flawed studiy

[geekoid]

where the p[people don't realize the 'government' isn't one group, one set of funds, or one set of guideline.

Oh wait? they sell a product? and don't release the details of said study? Maybe they do understand why a general grab at the generic label 'Government' makes for a misleading results.

Re:Cost-plus

[geekoid]

Many, not most. And for a great many of them it makes sense. Note: cost plus does not equal zero oversight. Just so you know.

Lets take a 5 year project on a piece of highway.

Seems pretty straight forward right?
Did you know the price of rock could double in that time period? or be cut ijn half? rock turns out to be more volatile then one would expect.

And that's just one component. IO unusually bad year can delay, fuel prices changes and so on.
Now, I know the media doesn't report this side of it, but sometime cost-plus has ended cheaper then estimated.

Eliminating cost plus will make thing more expense, and the results won't be any different.
Remember, we are talking about huge projects here. Many years. If you want a straight price bid, it means every bid would be 50% more then they are now, AND there would be more incentive for the contractor to screw you.

WYSIWYG (what you sign is what you get)

[Eponymous+Hero]

and are even paid extra to fix their bugs after creating them.

this is the standard procedure when you, the client, approve work without kicking the tires. obviously there are some exceptional situations, and some legalese is required. if you don't want to pay for bugs to get fixed, either don't approve them or get a warranty. nobody writes bug-free code, that's a myth inherent in non-programmers. but on the whole, if you buy something without warranty, you get what you get. that's the whole point of charging extra for warranties.

if i'm a landscaper and i plant the trees you want me to plant, and later you find out they give you allergies, i'm not pulling the trees out for free. nor will i take shit off you for not knowing you're allergic. there are other analogies you could use to try to disprove me. my analogy doesn't prove me correct, but i believe i am and it helps illustrate why.

NOT Confirms.

[Atzanteol]

Concludes, not confirms. Studies do not confirm anything (unless done by Netcraft).

Incorrect title

[Zoxed]

I know that Slashdot has just copied the article title, but it seems incorrect:

- The article only seems to discuss security: this is only one class of bug.
- Surely a bug is a mismatch between the requirements and the implementation. If certain security criteria are not required, then it is not a bug if they are not met !

I suggest the title should be more like "Study Confirms The Government Produces The Least Secure Software".