Government Remediates Only a Quarter of All Vulnerable Apps

Web and mobile applications produced or used by government organizations are more likely than those in other industries to fail standard security policies.

Veracode’s 2015 State of Software Security report has revealed that government organizations remediate only 27% of application vulnerabilities once detected—last among the seven vertical markets analyzed. In contrast, financial services and manufacturing ranked best across most categories, with healthcare, retail and hospitality near the bottom.

Moreover, government applications have the highest prevalence of SQL Injection vulnerabilities—commonly used to steal sensitive data from databases—upon initial assessment.

As organizations increasingly rely on software to drive their businesses, the threat surface available to cyber-attackers has dramatically expanded. As a result, one of the leading causes of data breaches over the past two years has been vulnerable applications. Yet, analytics collected from more than 200,000 application risk assessments over the last 18 months found a wide disparity in how the problem is addressed across industries.

“Every industry faces the challenge of securing web and mobile applications—which are continuously growing in both volume and complexity—across disparate and geographically-distributed development teams,” said Chris Wysopal, Veracode CISO and CTO.  “In 2014, we helped our customers identify and remediate 4.7 million vulnerabilities, significantly reducing enterprise risk. This report clearly shows that industries that ‘get it’ have been able to achieve substantial success while others still struggle to manage the problem at scale.”

For one, reliance on outdated programming languages has hamstrung government security. The government ranks last among vertical markets, with three out of four government applications failing the OWASP Top 10 when initially assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion, which are known to produce more vulnerabilities.

The report also found that the financial services and manufacturing industries’ attention to software security pays off.  In contrast to the government sector, organizations in financial services and manufacturing more proactively remediate the majority of their vulnerabilities (65% and 81% respectively). These results appear to indicate a higher institutional awareness of application security risk and a stronger emphasis on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes.

Also, significant risk is introduced by the software supply chain.  Nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.

While government is certainly concerning, healthcare organizations also fared poorly in the report. Given the large amount of sensitive data collected by healthcare organizations, it’s disturbing that 80% of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. In addition, healthcare fares near the bottom of the pack when it comes to addressing remediation, with only 43% of known vulnerabilities being remediated.

What’s Hot on Infosecurity Magazine?