Veracode has released new findings showing that the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest repair rates compared to other industry sectors.
Analysis of data collected from 20 million scans across half a million apps revealed these industry-specific findings.
“Policymakers and public sector leaders recognize that outdated technology and large amounts of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance.
As of May 2021 executive order To enhance the nation’s cybersecurity and protect federal government networks, the US Office of Management and Budget, the Department of Defense, and the White House have issued four memos addressing the need to adopt cybersecurity principles zero trust and strengthen the security of the software supply chain. Our research confirms this need,” he said. Chris EngVeracode research director.
No time to waste – fix more bugs faster
The research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once they are detected, the public sector posts the slowest times on average, about twice as slow as other sectors.
The research also revealed that 60 percent of third-party library failures in the public sector remain uncorrected after two years, which is double that of other sectors and below the industry average by more than 15 months.
Finally, with only a 22% repair rate overall, the public sector is challenged to prevent software supply chain attacks from impacting critical state, local, and educational applications.
Eng continued: “Organisations in this sector must act urgently. They can significantly improve their secure DevOps practices by using multiple types of analysis (static, dynamic, and software composition analysis) to get a more complete picture of an application’s security, which in turn will help them improve remediation times and comply with industry regulations. , and advocate for increased application security budgets.”
High severity defects are priority one
Demonstrating a positive trend, the public sector ranks high when it comes to addressing high severity failures. The research reveals that government entities have made great strides in addressing high-severity failures, which appear in only 16 percent of applications. In fact, the number of high-severity bugs has dropped by 30 percent in the last year alone, suggesting that developers in the industry are increasingly recognizing the importance of prioritizing the bugs that present the greatest risks. This is encouraging and may reflect a growing understanding of new software security guidelines, such as those outlined in the US Executive Order on Cybersecurity and the UK Government Cybersecurity Strategy 2022-2030.
Eng closed: “Recognizing that time is of the essence, public sector leaders are starting to set deadlines. For example in “Advancing the US Government toward Zero Trust Cybersecurity Principles”, Shalanda Young has set a deadline of September 30, 2024 for all US federal agencies to comply with specific cybersecurity standards. We believe that the progress made against high-security flaws is an excellent starting point and supports all public sector agencies seeking to gain better control over their software supply chains.”