How secure are government's mobile apps?

Friday - 12/16/2011, 5:39pm EST

Chris Wysopal, co-founder and CTO, Veracode

Download mp3

By Jack Moore
Federal News Radio
@jmooreWFED

As federal agencies design ever more innovative mobile applications, security has never been far from top-of-mind.

But despite all the talk, government apps may not be as secure as they should be.

IT security firm Veracode recently released a report, the "State of Software Security," examining software applications at federal agencies compared to those created and maintained by the private-sector.

The report found the government apps fared the worst.

"They had more vulnerabilities and they had more of the high-risk ones that hackers are going after," said Veracode co-founder and chief technology officer Chris Wysopal, in an interview on In Depth with Francis Rose.

The largest area of vulnerability was in web apps, Wysopal said, which often connect to government websites.

"These kind of applications have lots of private data back there and obviously identity theft is a big deal and you don't want people manipulating that data," he explained. "And we found that the the types of vulnerabilities that would let attackers get at the private data were a lot more prevalent in government apps than, let's say, finance, for instance."

Agency apps are also less "resilient" to cyber attacks — even common ones — compared to the private sector. For example, government web applications were cited by Veracode as being at much higher risk for XSS and SQL Injection issues.

Wysopal said the culprit is how the apps are constructed, including the programming language and the education of the app developers. "That all goes in to how resilient the app ends up to attackers," he said.

The government has a need for programmers with a background in secure programming, he added.

"The first thing is to understand how these attacks happen," he said, "and then it's to understand how to design the application so that it's less likely that these attacks happen. And then, how to test these applications to make sure these vulnerabilities aren't in there."