Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
How secure are government's mobile apps?
Friday - 12/16/2011, 5:39pm EST
Federal News Radio
As federal agencies design ever more innovative mobile applications, security has never been far from top-of-mind.
But despite all the talk, government apps may not be as secure as they should be.
IT security firm Veracode recently released a report, the "State of Software Security," examining software applications at federal agencies compared to those created and maintained by the private-sector.
The report found the government apps fared the worst.
"They had more vulnerabilities and they had more of the high-risk ones that hackers are going after," said Veracode co-founder and chief technology officer Chris Wysopal, in an interview on In Depth with Francis Rose.
The largest area of vulnerability was in web apps, Wysopal said, which often connect to government websites.
"These kind of applications have lots of private data back there and obviously identity theft is a big deal and you don't want people manipulating that data," he explained. "And we found that the the types of vulnerabilities that would let attackers get at the private data were a lot more prevalent in government apps than, let's say, finance, for instance."
Agency apps are also less "resilient" to cyber attacks — even common ones — compared to the private sector. For example, government web applications were cited by Veracode as being at much higher risk for XSS and SQL Injection issues.
Wysopal said the culprit is how the apps are constructed, including the programming language and the education of the app developers. "That all goes in to how resilient the app ends up to attackers," he said.
The government has a need for programmers with a background in secure programming, he added.
"The first thing is to understand how these attacks happen," he said, "and then it's to understand how to design the application so that it's less likely that these attacks happen. And then, how to test these applications to make sure these vulnerabilities aren't in there."