Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Value of Health IT
Shows & Panels
How secure are government's mobile apps?
Friday - 12/16/2011, 5:39pm EST
Federal News Radio
As federal agencies design ever more innovative mobile applications, security has never been far from top-of-mind.
But despite all the talk, government apps may not be as secure as they should be.
IT security firm Veracode recently released a report, the "State of Software Security," examining software applications at federal agencies compared to those created and maintained by the private-sector.
The report found the government apps fared the worst.
"They had more vulnerabilities and they had more of the high-risk ones that hackers are going after," said Veracode co-founder and chief technology officer Chris Wysopal, in an interview on In Depth with Francis Rose.
The largest area of vulnerability was in web apps, Wysopal said, which often connect to government websites.
"These kind of applications have lots of private data back there and obviously identity theft is a big deal and you don't want people manipulating that data," he explained. "And we found that the the types of vulnerabilities that would let attackers get at the private data were a lot more prevalent in government apps than, let's say, finance, for instance."
Agency apps are also less "resilient" to cyber attacks — even common ones — compared to the private sector. For example, government web applications were cited by Veracode as being at much higher risk for XSS and SQL Injection issues.
Wysopal said the culprit is how the apps are constructed, including the programming language and the education of the app developers. "That all goes in to how resilient the app ends up to attackers," he said.
The government has a need for programmers with a background in secure programming, he added.
"The first thing is to understand how these attacks happen," he said, "and then it's to understand how to design the application so that it's less likely that these attacks happen. And then, how to test these applications to make sure these vulnerabilities aren't in there."