Research Reveals Software Security at Public Sector Organizations Lagging

Veracode, a leading global provider of intelligent software security, today released research indicating that applications developed by public sector organizations tend to have more security flaws than applications created by the private sector. The findings are notable because increased numbers of flaws and vulnerabilities in applications correlate with increased levels of risk. The research comes amid a flurry of recent initiatives by the federal government to strengthen cybersecurity, including efforts to reduce vulnerabilities in applications that perform critical government functions.

Researchers found that just under 82 percent of applications developed by public sector organizations had at least one security flaw detected in their most recent scan over the last 12 months, compared to 74 percent of private sector organizations. Depending on the type of flaw tracked, public sector applications had a 7?12 percent higher probability of having a flaw introduced in the last 12 months.

"The difference between the rate at which flaws appear in public and private sector applications is significant. Efforts by the government to close the gap are necessary and should continue. As stewards of public safety, agencies have a responsibility to close this gap and strengthen security to protect the nation and its citizens," said Chris Eng, Chief Research Officer at Veracode.

Analysis of data collected from more than 27 million scans across 750,000 applications helped to produce Veracode's latest annual report on the State of Software Security. This new report showcases the public sector-specific findings from those scans and applications, including results from federal, state, and local government.

Numbers alone don't convey the consequences that occur when hackers exploit software flaws and vulnerabilities. In early May this year, a ransomware attack against the city of Dallas hobbled functions relied on to deliver public services, including IT systems used by public safety agencies. More than three weeks after the attack occurred, Dallas's public agencies hadn't fully recovered.

High Severity Flaws: A Win for the Public Sector

Veracode's research also found reasons for public sector organizations to be optimistic about application security. Discovery of "high severity" flaws in public sector applications (16.5 percent) in a 12-month period was lower than in non-public sector applications (19 percent). This is noteworthy because high severity flaws, when exploited, have greater potential to impact systems adversely.

Modern application testing encourages the use of multiple types of security scanning tools, such as static application security testing (SAST) and software composition analysis (SCA), because different scan types excel at uncovering different types of flaws. SAST and SCA found application flaws in a smaller percentage of public sector agencies compared to private sector applications.

Finding fewer flaws when using SCA tools could signal the initial impact of the May 2021 Executive Order (EO 14028), which directs U.S. federal agencies to invigorate efforts to protect the software supply chain. This EO also calls for greater use of software bills of material (SBOMs), which list the ingredients in software, thereby promoting information sharing, transparency, and visibility. Elsewhere, the Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessment of cloud products and services. Similarly, StateRAMP enables state and local governments to verify cloud service providers' compliance with cybersecurity policies.

"As modern IT systems have evolved and become more complex, the taxonomy of application flaws has become more varied," Eng said. "As such, the use of multiple scan types to find and fix flaws has become a best practice."

An Ounce of Prevention is Worth a Pound of Cure

A stark difference between public and private sector applications is the rate at which scans discover new flaws in aging software. By the time software has been in production for five years, the two sectors diverge sharply: rates of new flaws introduced in private sector applications increase, while rates for public sector agencies decline.

This trend suggests that public sector agencies are more vigilant about keeping applications secure over time, and not just during the first few years of the lifecycle. Applications outside government, by contrast, experience a gradual and steady increase in the introduction of new flaws as they age.

The State of Software Security Public Sector 2023 report recommends four actions agencies can take to improve their cybersecurity posture.

• Catch Up: fix the backlog of known flaws
• Scan regularly: inconsistent scanning makes fixing flaws more difficult, leading to more backlogs
• Automate: automating testing via APIs reduces the introduction of flaws into applications
• Add DAST to the stack: use dynamic scanning to discover flaws that other scan types miss

"The public sector has come a long way in strengthening the security of applications that serve our government, but there is still more work to be done for agencies to improve their cyber posture and repel incoming threats. By focusing security efforts on the root cause of most cyber breaches?the application layer?agencies can achieve necessary improvements. Scanning regularly with a variety of testing types and addressing security debt?the accumulated software vulnerabilities that threaten a system's safety?will pave the way toward a more secure future for government agencies," Eng concluded.

The full public sector research from the Veracode State of Software Security report is available and provides core comparative metrics among government agencies.

The full Veracode State of Software Security 2023 is available to download.

About the State of Software Security Report

The 13th volume of Veracode's annual report on the State of Software Security examines historical trends shaping the software landscape and how security practices are evolving along with those trends. This year's findings are based on the full historical data available from Veracode services and customers and represent a cross-section of large and small companies, commercial software suppliers, software outsourcers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode's cloud-based platform. The report considers data that was provided by Veracode's customers and information that was calculated or derived in the course of Veracode's analysis.

About Veracode

Veracode is intelligent software security. The Veracode Software Security Platform continuously detects flaws and vulnerabilities at every stage of the modern software development lifecycle. Prompted by powerful AI trained by trillions of lines of code, Veracode customers fix flaws faster with high accuracy. Trusted by security teams, developers, and business leaders from thousands of the world's leading organizations, Veracode is the pioneer, continuing to redefine what intelligent software security means. Veracode is accredited for the FedRAMP and StateRAMP Risk and Authorization Management Program.

Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.