Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Confirms the Government Produces the Buggiest Software

Posted by samzenpus on from the too-many-cooks dept.

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

11 of 135 comments (clear)

  1. That's because there's no profit motive. by MyFirstNameIsPaul · · Score: 4, Insightful

    Duh.

    --

    I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

  2. Contractors by Anonymous Coward · · Score: 5, Interesting

    Unfortunately, all the outsourcing going on in the Government (because it's easier to get money for a contract than to hire a developer on a permanent basis) is what's really killing the code here. Most outsourcing firms have a "throw the code over the wall" attitude, and spend more time deflecting blame for bugs than trying to fix them. I can't think of a business where there's less accountability than Government contracting, except possibly foreclosure management....

    1. Re:Contractors by BenEnglishAtHome · · Score: 5, Informative

      I just retired from a long IT career with a fed TLA.

      In all that time, there were two projects that stood out in my mind the most.

      For the first one, a division needed software to automate their primary tasks. If such software could be implemented, it would essentially be where 20,000 people a day spent all their time and brought in billions of dollars. The solution they decided on was to survey the end users who were tired of doing everything on paper, find the ones who were the acknowledged computer geeks, then let them design and write the program. They actually turned field civil law enforcement officers into SAs and analysts and coders and let them build what they needed. It took years but when it was done, it was a thing of functional beauty. Actually, it was ugly as hell but it so perfectly met the needs of the field officers that I know of several who actually delayed their retirements so they could spend more time doing a job that was fun again because all the drudgery had been automated away.

      Most. Successful. Project. Ever.

      The other one I remember was the same sort of thing, a program that some 70,000 would spend all their time in. It was buggy from the start. The people who had to use it hated it. Every upgrade broke reports from the previous version. It was, obviously, done by contractors. At one point, development halted for almost 18 months because someone dropped a dime on the contract developer and their entire staff of Indian programmers with expired visas had to pack up and go back to Asia. The contractor folded up shop and getting another to step in, untangle the mess, and start moving forward was a royal pain.

      My point?

      Sometimes, coder skill is meaningless. If you have developers and architects and all those other job titles involved in software development who actually work for the government because, at least in part, they are proud to serve their country...then you get better software.

      Government software should be created by government employees, not contractors.

      Now I'll go back to my place in the 1950s, where I'm sure many of you will say I belong.

  3. I can attest to this by Reverand+Dave · · Score: 4, Interesting

    I work for a government agency and I can swear this to be the absolute truth. I believe the reason to be a lot of politicking in management and not enough actual IT experience. No one wants to step on toes or else it might come back to bite you later when you need funds for a project so when user X asks for feature Y in software Z and there is no way it can be implemented without hacking together a mess of SQL query strings that may or may not work, well then you do it, because if you don't do it. User X may at one point be on a committee that can divert funds from your server or software upgrade budget.

    --
    I got here through a series of tubes
  4. Yes. by Cantide · · Score: 5, Interesting

    I was a software tester for the DoD and can confirm the stupidity here. (I can't really talk about the exact program but I can tell you with 100% certainty that it was mission critical.) We were contracted to run massive amounts of automated testing on the latest build of the software I was working on. Upon finding bugs, we needed to do regression testing... to decide if we would fix them in the latest build, because if they were present in previous versions we were under no obligation to do so unless specifically paid to do so.

  5. Gov't should be ideal for secure, bug-free develop by Iamthecheese · · Score: 4, Insightful

    There are industry-common metrics for good code.

    With its focus on long-term outcomes, big budgets, and relatively stable personnel it seems to me non-outsourced government work would tend to produce better code.

    Part of the government wrote the code for the space shuttle, the most bug-free program ever written. Seriously, look it up, that code is amazing.

    The problem with these specific problems isn't with government but with improper requirements and possibly graft. These are much easier to fix on a local level than bad code in my not so humble opinion.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
  6. Re:Hah! See? by Jeremiah+Cornelius · · Score: 5, Insightful

    Private contactors, low-bidding, on the public's dime.

    "We'll be here forever, boys. No need to get it right the first time."

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  7. Re:Gov't should be ideal for secure, bug-free deve by mykepredko · · Score: 4, Insightful

    Actually, the Government had just about nothing to do with the Space Shuttle code.

    The group that did it was founded by IBM and has been passed around to a number of other vendors (I believe they have ended up at LockMart).

    I'm not sure if this supports or discourages your point.

    myke

    --
    Mimetics Inc. Twitter
  8. There's more reasons for this by Liquidrage · · Score: 5, Insightful

    1. Much of government is custom software. In the private world less so. Not that there aren't exceptions in either case, but my bank didn't write their own custom software for finances. In government it's almost always build over buy. It's much harder for the government to change policies to fit software when much of what they are writing software for is dictated by legislation.

    2. Much of government software is written last minute to meet the demands of the people we've elected that in turn force government agencies to create something from nothing, usually without proper funding and usually with unrealistic deadlines.

    3. Much of government software is written by inexperienced people. Contractors and government employees are rehashed from project to project even as technology changes.

    I've worked public and private for 15 years now in tech and have seen it all. DoD, Federal, and State projects from both sides of the contract/public servant side. A lot of government software is written in locations with smaller workforces leading to hiring people that are just the best you can get, now what you should get. The deadlines for government projects are almost always unrealistic. The powers that be, and I mean the legislature at the state level and agency heads in Federal, and the commanders/Washington in DoD work, don't feel like there's a ROI on almost any project, it's just stuff they "have" to do, so they don't take into account doing it right. They shoestring a budget, or don't even have a budget, and use whatever resources they can find to get things done.

    Most projects aren't even contracted out completely. Many are sure. But I'd say more are a mixture of public workforce and contract or just done but the public servants at hand already. And yes, the contracted out ones are usually the worse IMO because the reason they got the contract is they "knew" the right person and it's a milking of taxpayer money. I've taken over for two projects completely outsourced to very large multi-national contracting firms whose names everyone would recognize. Both were over 70 million contracts. And both were complete crap. The systems were disgusting. We didn't even get printed binders for taking over the maintenance on either. We got some word docs in a network folder, the documents created "after" development was completed. A hodgepodge of technologies and some really bad code. For 70+ million you'd think you'd at least get a Tech Writer on the project and some bound color copies from Kinkos. Nope.

  9. Re:Sounds like they have little practical experien by Liquidrage · · Score: 4, Interesting

    Of course now the government is switching to agile/scrum (as opposed to the prior methodology of OMFGRAD) en masse so that requirements are gathered on the fly/after the fact and collected on sticky notes and discussed for 10 minutes a day. Because hell, if you can't get good requirements might as well have a methodology that minimizes the need for them.

    Of course, considering almost all government software is dictated by business logic and legislation and often rely on existing legacy systems that can't be easily changed, I don't think it's exactly wise. I gag every time the cafe-latte sipping PM's gush about switching over toe scrum on another project so I can spend twice as long building software because my requirements are even worse now. But hey, it has a catchy name, it must be good for government work. We're all so grown up now.

    It's not like a can get a high level requirement that I need to capture user information and go build a user screen in the government world. Every freaking little detail is going to be exacted upon on a user screen with rules and laws (and legacy systems) dictating what I can and can't do what is and isn't there and how it interacts with other systems. It's not that agile/scrum is always bad. It's just a square peg in a round hole of current government in most cases.

  10. LOL by nthwaver · · Score: 5, Funny

    Goverment are faget asshole too busy sucking gay faget cock to write good codes. We need to get rid of goverment and set up constitutional anarchy and send all the fagets away to France or some other faget country.

    You'd be surprised how much software from all business models is written by queer folk! Microsoft actually lobbies the state of Washington for gender-neutral marriage so that they can poach more gay programmers. Google does the same. Your OS, browser and phone were probably designed by fagets. The field of computer science was founded by Alan Turing, an internationally infamous faget. Face it dude, queers are too smart and useful, you'll never get rid of us.