Security flaws found in 82% of public sector software applications
Veracode has released new findings that show the public sector has the highest proportion of security vulnerabilities in its applications and maintains some of the lowest and slowest patch rates compared to other industry sectors.
Analysis of data collected from 20 million scans across half a million apps revealed these industry-specific results.
“Policy makers and public sector leaders recognize that outdated technology and vast amounts of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance.
Following the May 2021 executive order to improve the nation’s cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense, and White House released four memos addressing the need to adopt zero-trust cybersecurity principles and strengthen software supply chain security. Our research confirms this need,” said Chris Eng, director of research at Veracode.
No time to lose: fix more defects faster
The research found that compared to other industries, the public sector has the highest proportion of applications with security vulnerabilities, at 82%. When it comes to how quickly organizations fix vulnerabilities once detected, the public sector has the slowest times on average, about twice as slow as other sectors.
The research also found that 60% of defects in public sector third-party libraries remain uncorrected after two years, double that of other sectors and more than 15 months behind the cross-industry average.
Finally, with an overall resolution rate of just 22%, the public sector is challenged to prevent software supply chain attacks from impacting critical state, local and education applications.
Eng continued, “Organizations in this sector need to act urgently. They can dramatically improve their secure DevOps practices by using multiple types of analysis (static, dynamic, and software composition analysis) to get a more complete picture of an application’s security, which will help them improve remediation times. , to comply with industry regulations. , and advocate for increased application security budgets. »
High severity faults take priority
Showing a positive trend, the public sector ranks first when it comes to remediating high severity defects. The research reveals that government entities have made great strides in resolving high-severity defects, which only appear in 16% of applications. In fact, the number of high-severity vulnerabilities has dropped by 30% in the last year alone, suggesting that industry developers are increasingly recognizing the importance of prioritizing vulnerabilities that pose the greatest risk. This is encouraging and may reflect a growing understanding of new software security guidelines, such as those outlined in the US Cybersecurity Executive Order and UK Government Cybersecurity Strategy 2022-2030.
Eng closed, “Recognizing that time is running out, public sector leaders are beginning to set timelines. For example, in “Moving the US Government Toward Zero Trust Cybersecurity Principles,” Shalanda Young set September 30, 2024 as the deadline for all US federal agencies to meet specific cybersecurity standards. We believe that the progress made against high security vulnerabilities is an excellent starting point and support all public sector agencies seeking to better control their software supply chains.