Content, Content

Public Sector Software Security Trails Private Sector By Wide Margin, Report Says

A mysterious light trail descending a mountain slope

Applications developed by public sector organizations typically have more security flaws than applications created by the private sector, Veracode, an application security software provider, said in a newly-released report.

Veracode relied on its analysis of data collected from more than 27 million scans across 750,000 applications, including results from federal, state, and local government, to produce the report.

The company directly correlates higher numbers of application flaws with increased levels of risk. This issue rose to prominence following the federal government’s release in March of its National Cybersecurity Strategy. The White House is proposing that legislation be directed at software makers that fail to safeguard their products and services.

Chris Eng, Veracode chief research officer, emphasized that government agencies must “strengthen” security:

"The difference between the rate at which flaws appear in public and private sector applications is significant. Efforts by the government to close the gap are necessary and should continue. As stewards of public safety, agencies have a responsibility to close this gap and strengthen security to protect the nation and its citizens.”

82% of Public Apps Have Security Flaw

Veracode’s data shows that both public and private organizations may need to be more vigilant to attend to the federal government’s position on public and private sector software risk. Here are some key findings:

  • About 82% of applications developed by public sector organizations had at least one security flaw detected in their most recent scan over the last 12 months, compared to 74% of private sector organizations.
  • Discovery of high severity flaws in public sector applications (16.5%) in a 12-month period was lower than in non-public sector applications (19%). This is noteworthy because high severity flaws, when exploited, have greater potential to impact systems adversely.
  • Of note, static application security testing (SAST) and software composition analysis (SCA), found application flaws in a smaller percentage of public sector agencies compared to private sector applications.
  • By the time software has been in production for five years, the rate of new flaws introduced in private sector applications increases, while rates for public sector agencies declines.

In commenting on the data, Eng stressed that there’s room for improvement:

“The public sector has come a long way in strengthening the security of applications that serve our government, but there is still more work to be done for agencies to improve their cyber posture and repel incoming threats."

Security Recommendations

Veracode recommended that agencies adopt these four measures to improve their cybersecurity posture.

  1. Patch. Fix the backlog of known flaws.
  2. Scan regularly. Inconsistent scanning makes fixing flaws more difficult, leading to more backlogs.
  3. Automate testing. Automating testing via APIs reduces the introduction of flaws into applications
  4. Add DAST to the stack. Use dynamic scanning to discover flaws that other scan types miss.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.