The problem boils down to an oversight in the regulations for government software set by the National Institute of Standards and Technology, says Wysopal. NIST’s rules outline security standards for network security–systems like firewalls and intrusion detection systems–as well as endpoint security like antivirus programs. But only the latest round of its regulations included standards for coding secure applications, and even those didn’t extend to most of the government’s web applications.
“We’re zeroing in on the application layer, but that’s something that’s been pretty much ignored in the government space,” says Wysopal. “They don’t take a risk-based approach. They take a compliance-based approach. If it’s not in the regulations, it doesn’t get done.”