Article
Cloud & Cybersecurity

Veracode: software security still lagging in public sector

By Amber Jackson
June 15, 2023
undefined mins
The research comes in the midst of government initiatives to strengthen cybersecurity, which include efforts to reduce vulnerabilities in applications that perform critical government functions.
The research comes in the midst of government initiatives to strengthen cybersecurity, which include efforts to reduce vulnerabilities in applications that perform critical government functions.
Veracode’s State of Software Security Public Sector 2023 report finds security flaws in 82% of government applications, suggesting a need for cyber safety

Leading intelligent software security provider, Veracode, have released research indicating that applications developed by public sector organisations tend to have more security flaws than those of the private sector. These findings have demonstrated a definite need to continue working towards equalities between sectors to ensure cyber safety for all.

The Veracode State of Software Security 2023 findings suggest an increased number of flaws and vulnerabilities in applications correlate with increased levels of risk. The research comes in the midst of government initiatives to strengthen cybersecurity, which include efforts to reduce vulnerabilities in applications that perform critical government functions.

A need to close the gap between private and public

Researchers found that just under 82% of applications developed by public sector organisations had at least one security flaw detected in their most recent scan over the last 12 months, compared to 74 percent of private sector organisations. Depending on the type of flaw tracked, public sector applications had a 7–12% higher probability of having a flaw introduced in the last 12 months.

"The difference between the rate at which flaws appear in public and private sector applications is significant. Efforts by the government to close the gap are necessary and should continue,” said Chris Eng, Chief Research Officer at Veracode.

“As stewards of public safety, agencies have a responsibility to close this gap and strengthen security to protect the nation and its citizens.”

Analysis of data collected from more than 27 million scans across 750,000 applications helped to produce Veracode’s latest annual report on the State of Software Security. This new report showcases public sector-specific findings from those scans and applications, including results from governments across the world.

Public sector excel at discovering ‘High Severity Flaws’

Veracode’s research also found that public sector organisations are adept at detecting “high severity flaws” (16.5%) in a 12-month period, despite not discovering as many as non-public sector applications (19%). This is still significant because high severity flaws, when exploited, have greater potential to impact systems adversely. 

Modern application testing encourages use of multiple security scanning tools, such as static application security testing (SAST) and software composition analysis (SCA), because different scan types excel at uncovering different types of flaws. Ultimately, according to the report, SAST and SCA found application flaws in a smaller percentage of public sector agencies compared to private sector applications.

Veracode suggests that a significant difference between public and private sector applications is the rate that scans discover new flaws in ageing software. After five years in production, the two sectors show stark differences, as the rate of new flaws introduced in private sector applications increase, as opposed to rates for public sector agencies decrease. 

According to the report, this trend is suggestive of public sector agencies being more vigilant about keeping applications secure over time, and not just during the first few years of the life cycle. Applications outside government, by contrast, experience a gradual and steady increase in the introduction of new flaws as they age.

Eng went on to state: “As modern IT systems have evolved and become more complex, the taxonomy of application flaws has become more varied.

“As such, the use of multiple scan types to find and fix flaws has become a best practice.”

He continued: “The public sector has come a long way in strengthening the security of applications that serve government, but there is still more work to be done for public sector entities to improve their cyber posture and repel incoming threats. 

“By focusing security efforts on the root cause of most cyber breaches—the application layer—agencies can achieve necessary improvements. Scanning regularly with a variety of testing types and addressing security debt—the accumulated software vulnerabilities that threaten a system’s safety—will pave the way toward a more secure future for government agencies.”

The full public sector research from the Veracode State of Software Security report is available here.

technologycybersecurityVeracodeReportPress Releasesecurity softwarePublic sectorprivate sectorGovernment global technologyIT Governance Systemssystem configuration
Share
Share
Author
Amber Jackson

Featured Articles

Globant to Drive Formula 1’s Digital Transformation

Globant has announced it has become an official partner of Formula 1, with the deal set to focus on digitising the pit wall and boosting the fan experience

HPE: Businesses Must Tackle Blind Spots in AI Strategies

As businesses rush to embrace AI, HPE research finds many are falling into an overconfidence trap by overlooking critical gaps in their strategies

Google’s Becky Power joins Tech & AI LIVE London

Becky Power, Managing Director of EMEA Strategy and Operations at Google, to speak at Tech & AI LIVE London

Join Belden for a Free Webinar on Connected Plant Floor Data

Digital Transformation

Microsoft Invests $1.7bn in Indonesia's Cloud and AI Future

Cloud & Cybersecurity

Microsoft & Alphabet: AI and Cloud Strategy Driving Success

IT Procurement