Study Confirms the Government Produces the Buggiest Software

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

That's because there's no profit motive.

[MyFirstNameIsPaul]

Duh.

Re:That's because there's no profit motive.

On the contrary. Profit motive is exactly what caused this problem.
Contractors, motivated to get the greatest revenue for the least cost (time, effort, materials, whatever), created crap software. Since they don't suffer from producing crap software, they were simply working in their own (narrow view) best interest.

Perhaps if you were to hire employees that had motive to ensure the long term success of of a project (recognition, keeping your job) you'd get better results..

Re:That's because there's no profit motive.

[El+Torico]

The profit motive is part of it, but only a part. Usually, the customer has undefined or poorly defined requirements and grossly incompetent management. I was once part of a program in which the government representative refused to provide the security standards and criteria that the system would be judged upon. We had conflicting standards to reconcile and every request for guidance or additional information was ignored.
That was only part of the problem. The network design was provided by the government and it was a complete mess; we couldn't change it either.

Contractors

Unfortunately, all the outsourcing going on in the Government (because it's easier to get money for a contract than to hire a developer on a permanent basis) is what's really killing the code here. Most outsourcing firms have a "throw the code over the wall" attitude, and spend more time deflecting blame for bugs than trying to fix them. I can't think of a business where there's less accountability than Government contracting, except possibly foreclosure management....

Re:Contractors

[BenEnglishAtHome]

I just retired from a long IT career with a fed TLA.

In all that time, there were two projects that stood out in my mind the most.

For the first one, a division needed software to automate their primary tasks. If such software could be implemented, it would essentially be where 20,000 people a day spent all their time and brought in billions of dollars. The solution they decided on was to survey the end users who were tired of doing everything on paper, find the ones who were the acknowledged computer geeks, then let them design and write the program. They actually turned field civil law enforcement officers into SAs and analysts and coders and let them build what they needed. It took years but when it was done, it was a thing of functional beauty. Actually, it was ugly as hell but it so perfectly met the needs of the field officers that I know of several who actually delayed their retirements so they could spend more time doing a job that was fun again because all the drudgery had been automated away.

Most. Successful. Project. Ever.

The other one I remember was the same sort of thing, a program that some 70,000 would spend all their time in. It was buggy from the start. The people who had to use it hated it. Every upgrade broke reports from the previous version. It was, obviously, done by contractors. At one point, development halted for almost 18 months because someone dropped a dime on the contract developer and their entire staff of Indian programmers with expired visas had to pack up and go back to Asia. The contractor folded up shop and getting another to step in, untangle the mess, and start moving forward was a royal pain.

My point?

Sometimes, coder skill is meaningless. If you have developers and architects and all those other job titles involved in software development who actually work for the government because, at least in part, they are proud to serve their country...then you get better software.

Government software should be created by government employees, not contractors.

Now I'll go back to my place in the 1950s, where I'm sure many of you will say I belong.

Re:Contractors

[geekoid]

1. See, that's the PROBLEM with the private sector. One you can just fire people, you end up with an entrenched attitude of 'Do what I say or else'. Which is fine for a genius like you, but mostly you end up with a high turn over rate.

Making it difficult mean people can speak up. They can tell a bureau chief why they are wrong and not get fired. THIS is what bring quality, depth of knowledge, and honest opinions and view out into the open.

Contrary to what a lot of people thing, it isn't impossible to fire someone. It make take time, becasue they treat their employees like that are human beings

2. the wages aren't horrible. I could make 30% more in the private sector, but my benis are solid, and I like having a life.

The rest of your post is just ignorant. I've seen peopel get fired. It went like this

1) Bad review with detailed list of whats wrong* I've seen people change the work attitude at this point and become better employees.

2) Verbal warning after 3 months. *again,. seen poeple change at this point

3) written warning - never seen anyone recover from here

4) out the door. 3-6 months, and this includes union.

What really helps is the 9 months grace period. Frankly, if you are lazy, you won't make it 9 months without the become obvious.

I can attest to this

[Reverand+Dave]

I work for a government agency and I can swear this to be the absolute truth. I believe the reason to be a lot of politicking in management and not enough actual IT experience. No one wants to step on toes or else it might come back to bite you later when you need funds for a project so when user X asks for feature Y in software Z and there is no way it can be implemented without hacking together a mess of SQL query strings that may or may not work, well then you do it, because if you don't do it. User X may at one point be on a committee that can divert funds from your server or software upgrade budget.

Re:I can attest to this

[geekoid]

Did you read the report? no, of course you didn't. Unless you are explaining the code developed by the private sector for the government is marginal more buggy? And the the study is worth a damn.

I work for a government agency. You're whole description sound a hell of a lot more accurate to my experience in the private sector then the public sector.

Anecdotal experiences: Two Tales...

Private sector:
One time I got called on the carpet because I didn't list the names in my email address list in the 'appropriate order'. Putting a middle management person before the VP.. what nerve I have. I have many takes of correcting someone and being labels trouble maker. The financial sector sucks eggs.

Public sector:
Told a Bureaus head he was wrong, listed why. He Thanks me for speaking up and saving them from an expensive mistake.

Yes.

[Cantide]

I was a software tester for the DoD and can confirm the stupidity here. (I can't really talk about the exact program but I can tell you with 100% certainty that it was mission critical.) We were contracted to run massive amounts of automated testing on the latest build of the software I was working on. Upon finding bugs, we needed to do regression testing... to decide if we would fix them in the latest build, because if they were present in previous versions we were under no obligation to do so unless specifically paid to do so.

Gov't should be ideal for secure, bug-free develop

[Iamthecheese]

There are industry-common metrics for good code.

With its focus on long-term outcomes, big budgets, and relatively stable personnel it seems to me non-outsourced government work would tend to produce better code.

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

The problem with these specific problems isn't with government but with improper requirements and possibly graft. These are much easier to fix on a local level than bad code in my not so humble opinion.

Laugh

[koan]

Obvious loop hole...
"and are even paid extra to fix their bugs after creating them."

Hiring the cheapest competitor doesn't help either

[marcosdumay]

The rules for government aquisition don't help. As there isn't any usefull formal metric for software quality, it normaly must settle with the cheapest competitor whoever it is, however it works.

"even paid extra to fix their bugs after creating"

[SwashbucklingCowboy]

Reminds me of this Dilbert comic

Contractors

[betterunixthanunix]

My first though was, "Probably the work of contractors." Then I RTFA'd and had it confirmed:

That institutional insecurity, says Alan Paller, researcher director of the SANS Institute, is the result of a private contractor system that actually rewards insecure coding. âoeThe consequences for private sector software writers who write insecure code in commercial software is high costs for patching along with substantial embarrassment for their companies and job insecurity for them,â he says. âoeIn contrast, the consequences for private sector software writers who write insecure code for the government is contract add-ons to fix the problem, and more revenue for their companies and job security for them.â

Not susprised at all

My first job was doing software for the federal government (mainly tools for tracking government property and assets and the nightmare of paperwork associated with them). It was _horrible_. It was a well paying job, great benefits, very relaxed (but political) environment .. but the atrocities committed to the art of software development combined with the painfully slow pace were unbearable.

Everything was always caught up in red tape. Requirements were always wrong, outdated, or both. In a lot of cases there was no clear time frame or end plan for software .. that shit would get figured out when/if the project was finished. And projects were often arbitrarily cancelled. Stuff that was finished and deployed often went unused for various reasons.

There was also an anti-change culture. Anything new was met with extreme resistance. Also there was this feeling that anything that improved our efficiency would decrease our staff. It wasn't entirely unfounded. Stuff was scheduled to take a certain amount of time. If it took less time, it wasn't like there was more work to fill in the holes.

And the code. Wow. I think it's part because the federal government has a lot of co-op/student programs .. and part because most programmers that care about software quality got the hell out of there (like I did) .. but the code that came out of my department was.. terrifying. Thankfully these were internal apps. Database queries involving multiple tables can be complicated.. but it's easy to put the same data in multiple tables! So just create multiple tables with the various data sets you need! Suggest a database view (at least half way to an ok solution) .. the DBA (yes, they had a DBA, a professional database guy, and he allowed this!) won't allow it (he won't reject it, he just offers to "look into it", which if you don't know is office politics for "nope!").

Ok I'm gonna stop and let my blood pressure come back down...

So what is everyone else's excuse?

[rudy_wayne]

By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

OK. So government contractor produce the shittiest code, due to a lack of accountability. However, the 34% rating for commercial software is absolutely horrible and inexcusable. Commercial software is almost twice as good, but twice as good shit is still shit.

Re:Hah! See?

[Jeremiah+Cornelius]

Private contactors, low-bidding, on the public's dime.

"We'll be here forever, boys. No need to get it right the first time."

Thats only the US Gov't

[Spy+Handler]

In some other countries, government employees are smart and work hard. In South Korea for instance the gov't software all run on IE6 activeX plugins and are rock-solid.

Re:Gov't should be ideal for secure, bug-free deve

[mykepredko]

Actually, the Government had just about nothing to do with the Space Shuttle code.

The group that did it was founded by IBM and has been passed around to a number of other vendors (I believe they have ended up at LockMart).

I'm not sure if this supports or discourages your point.

myke

There's more reasons for this

[Liquidrage]

1. Much of government is custom software. In the private world less so. Not that there aren't exceptions in either case, but my bank didn't write their own custom software for finances. In government it's almost always build over buy. It's much harder for the government to change policies to fit software when much of what they are writing software for is dictated by legislation.

2. Much of government software is written last minute to meet the demands of the people we've elected that in turn force government agencies to create something from nothing, usually without proper funding and usually with unrealistic deadlines.

3. Much of government software is written by inexperienced people. Contractors and government employees are rehashed from project to project even as technology changes.

I've worked public and private for 15 years now in tech and have seen it all. DoD, Federal, and State projects from both sides of the contract/public servant side. A lot of government software is written in locations with smaller workforces leading to hiring people that are just the best you can get, now what you should get. The deadlines for government projects are almost always unrealistic. The powers that be, and I mean the legislature at the state level and agency heads in Federal, and the commanders/Washington in DoD work, don't feel like there's a ROI on almost any project, it's just stuff they "have" to do, so they don't take into account doing it right. They shoestring a budget, or don't even have a budget, and use whatever resources they can find to get things done.

Most projects aren't even contracted out completely. Many are sure. But I'd say more are a mixture of public workforce and contract or just done but the public servants at hand already. And yes, the contracted out ones are usually the worse IMO because the reason they got the contract is they "knew" the right person and it's a milking of taxpayer money. I've taken over for two projects completely outsourced to very large multi-national contracting firms whose names everyone would recognize. Both were over 70 million contracts. And both were complete crap. The systems were disgusting. We didn't even get printed binders for taking over the maintenance on either. We got some word docs in a network folder, the documents created "after" development was completed. A hodgepodge of technologies and some really bad code. For 70+ million you'd think you'd at least get a Tech Writer on the project and some bound color copies from Kinkos. Nope.

Re:Gov't should be ideal for secure, bug-free deve

[ColdWetDog]

Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

That's it! Get rid of those nasty high level languages and get back to the bare metal with assembly. None of this new fangled junky stuff.

Kids these days. Never learn anything from their betters.

Re:Sounds like they have little practical experien

[Liquidrage]

Of course now the government is switching to agile/scrum (as opposed to the prior methodology of OMFGRAD) en masse so that requirements are gathered on the fly/after the fact and collected on sticky notes and discussed for 10 minutes a day. Because hell, if you can't get good requirements might as well have a methodology that minimizes the need for them.

Of course, considering almost all government software is dictated by business logic and legislation and often rely on existing legacy systems that can't be easily changed, I don't think it's exactly wise. I gag every time the cafe-latte sipping PM's gush about switching over toe scrum on another project so I can spend twice as long building software because my requirements are even worse now. But hey, it has a catchy name, it must be good for government work. We're all so grown up now.

It's not like a can get a high level requirement that I need to capture user information and go build a user screen in the government world. Every freaking little detail is going to be exacted upon on a user screen with rules and laws (and legacy systems) dictating what I can and can't do what is and isn't there and how it interacts with other systems. It's not that agile/scrum is always bad. It's just a square peg in a round hole of current government in most cases.

Don't blame the contractors...

[retech]

At least not 100%. You can blame the many headed beast they have to answer to. With every dept. head feeling they have to justify their existence by exerting power in the form of conflicting demands. Also add to this rule sets for compliance that are decentralized and NOT overseen by people who know how to program (generally) but instead know how to be gov't administrators. So compliance will often mean having internal conflicts as to what an application can do.

This is really about government controls run a muck.

Study Shows Increased Sales For Veracode

[sweatyboatman]

This isn't a study.

This is a press release declaring that everyone who is not already their client has a desperate need for Veracode's services. No different than when Norton sends out a "study" that shows how terribly dangerous the internet is or how much malware exists for smartphones.

This just sounds like they're angling to get themselves some more government business. And you know, kudos for them.

LOL

[nthwaver]

Goverment are faget asshole too busy sucking gay faget cock to write good codes. We need to get rid of goverment and set up constitutional anarchy and send all the fagets away to France or some other faget country.

You'd be surprised how much software from all business models is written by queer folk! Microsoft actually lobbies the state of Washington for gender-neutral marriage so that they can poach more gay programmers. Google does the same. Your OS, browser and phone were probably designed by fagets. The field of computer science was founded by Alan Turing, an internationally infamous faget. Face it dude, queers are too smart and useful, you'll never get rid of us.

NOT Confirms.

[Atzanteol]

Concludes, not confirms. Studies do not confirm anything (unless done by Netcraft).

Re:Hah! See?

[zephvark]

I think the problem is more that no decent programmer is going to be willing to work for the government. Working for the government or a highly-regulated industry means conforming to any number of pointless and horrible rules, created by people who have no idea what they're doing. It's soul-crushing, and no one would do it if they could possibly get a job elsewhere.

I recently helped a major bank update some of its internal software from 1980s QuickBASIC code (!) so it could run on Windows (!!)... it was badly-written stuff, with line numbers, sections of code that could never be reached, floating point equality comparisons that might not match, and other egregious flaws. In banking software that's been used for decades. Their email policy filtered out .BAS files, because the email administrator apparently confused .BAS files with VBscript, so I had to change the file extensions... until it turned out that their policy prohibited sending any source code "electronically", so I had to FAX print-outs for them to type in.

Of course their programmers were incompetent. Who would work in an environment like that?