BURLINGTON, Mass. — Veracode, a leading global provider of intelligent software security, today released research indicating that applications developed by public sector organizations tend to have more security flaws than applications created by the private sector. The findings are notable because increased numbers of flaws and vulnerabilities in applications correlate with increased levels of risk. The research comes amid a flurry of recent initiatives by the federal government to strengthen cybersecurity, including efforts to reduce vulnerabilities in applications that perform critical government functions.
Researchers found that just under 82 percent of applications developed by public sector organizations had at least one security flaw detected in their most recent scan over the last 12 months, compared to 74 percent of private sector organizations. Depending on the type of flaw tracked, public sector applications had a 7–12 percent higher probability of having a flaw introduced in the last 12 months.
“The difference between the rate at which flaws appear in public and private sector applications is significant. Efforts by the government to close the gap are necessary and should continue. As stewards of public safety, agencies have a responsibility to close this gap and strengthen security to protect the nation and its citizens,” said Chris Eng, Chief Research Officer at Veracode.
Analysis of data collected from more than 27 million scans across 750,000 applications helped to produce Veracode’s latest annual report on the State of Software Security. This new report showcases the public sector-specific findings from those scans and applications, including results from federal, state, and local government.
Numbers alone don’t convey the consequences that occur when hackers exploit software flaws and vulnerabilities. In early May this year, a ransomware attack against the city of Dallas hobbled functions relied on to deliver public services, including IT systems used by public safety agencies. More than three weeks after the attack occurred, Dallas’s public agencies hadn’t fully recovered.
High Severity Flaws: A Win for the Public Sector
Veracode’s research also found reasons for public sector organizations to be optimistic about application security. Discovery of “high severity” flaws in public sector applications (16.5 percent) in a 12-month period was lower than in non-public sector applications (19 percent). This is noteworthy because high severity flaws, when exploited, have greater potential to impact systems adversely.
Modern application testing encourages the use of multiple types of security scanning tools, such as static application security testing (SAST) and software composition analysis (SCA), because different scan types excel at uncovering different types of flaws. SAST and SCA found application flaws in a smaller percentage of public sector agencies compared to private sector applications.
Finding fewer flaws when using SCA tools could signal the initial impact of the May 2021 Executive Order (EO 14028), which directs U.S. federal agencies to invigorate efforts to protect the software supply chain. This EO also calls for greater use of software bills of material (SBOMs), which list the ingredients in software, thereby promoting information sharing, transparency, and visibility. Elsewhere, the Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessment of cloud products and services. Similarly, StateRAMP enables state and local governments to verify cloud service providers’ compliance with cybersecurity policies.
“As modern IT systems have evolved and become more complex, the taxonomy of application flaws has become more varied,” Eng said. “As such, the use of multiple scan types to find and fix flaws has become a best practice.”
An Ounce of Prevention is Worth a Pound of Cure
A stark difference between public and private sector applications is the rate at which scans discover new flaws in aging software. By the time software has been in production for five years, the two sectors diverge sharply: rates of new flaws introduced in private sector applications increase, while rates for public sector agencies decline.
This trend suggests that public sector agencies are more vigilant about keeping applications secure over time, and not just during the first few years of the lifecycle. Applications outside government, by contrast, experience a gradual and steady increase in the introduction of new flaws as they age.
The State of Software Security Public Sector 2023 report recommends four actions agencies can take to improve their cybersecurity posture.
Catch Up: fix the backlog of known flaws
Scan regularly: inconsistent scanning makes fixing flaws more difficult, leading to more backlogs
Automate: automating testing via APIs reduces the introduction of flaws into applications
Add DAST to the stack: use dynamic scanning to discover flaws that other scan types miss
“The public sector has come a long way in strengthening the security of applications that serve our government, but there is still more work to be done for agencies to improve their cyber posture and repel incoming threats. By focusing security efforts on the root cause of most cyber breaches—the application layer—agencies can achieve necessary improvements. Scanning regularly with a variety of testing types and addressing security debt—the accumulated software vulnerabilities that threaten a system’s safety—will pave the way toward a more secure future for government agencies,” Eng concluded.