Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
How secure are government's mobile apps?
Friday - 12/16/2011, 5:39pm EST
Federal News Radio
As federal agencies design ever more innovative mobile applications, security has never been far from top-of-mind.
But despite all the talk, government apps may not be as secure as they should be.
IT security firm Veracode recently released a report, the "State of Software Security," examining software applications at federal agencies compared to those created and maintained by the private-sector.
The report found the government apps fared the worst.
"They had more vulnerabilities and they had more of the high-risk ones that hackers are going after," said Veracode co-founder and chief technology officer Chris Wysopal, in an interview on In Depth with Francis Rose.
The largest area of vulnerability was in web apps, Wysopal said, which often connect to government websites.
"These kind of applications have lots of private data back there and obviously identity theft is a big deal and you don't want people manipulating that data," he explained. "And we found that the the types of vulnerabilities that would let attackers get at the private data were a lot more prevalent in government apps than, let's say, finance, for instance."
Agency apps are also less "resilient" to cyber attacks — even common ones — compared to the private sector. For example, government web applications were cited by Veracode as being at much higher risk for XSS and SQL Injection issues.
Wysopal said the culprit is how the apps are constructed, including the programming language and the education of the app developers. "That all goes in to how resilient the app ends up to attackers," he said.
The government has a need for programmers with a background in secure programming, he added.
"The first thing is to understand how these attacks happen," he said, "and then it's to understand how to design the application so that it's less likely that these attacks happen. And then, how to test these applications to make sure these vulnerabilities aren't in there."