Governments Rank Last in 2015 Software Security Report

While the healthcare industry’s lack of security infrastructure has dominated much of the conversations about security in 2015, these conversations have failed to acknowledge that government institutions rank even lower in security procedures.

In an article published recently by CSO Online, writer Maria Korolov reports the results of Veracode’s 2015 State of Software Security Report. The report revealed that “three-quarters of all government Web and mobile applications fail their initial security reviews, making it the worst-performing vertical.” Even more, government institutions are also the slowest at fixing vulnerabilities, making them the least secure industry.

Although the government institutions included in this study are largely civilian-facing institutions (excluding the military and intelligence agencies), the irony of government institutions having the worst security infrastructures while housing some of our most vital personal information, is enough to weaken citizen trust of government institutions. After the most recent security breach of the Office of Personnel Management—affecting the personal data of an estimated 18-million current, former, and prospective federal employees—nobody doubts that government institutions are highly targeted.

The Study

Veracode, a software source code-auditor, has long been doing these yearly reports of software security. This year, however, is the first year that Veracode has separated the results by industry, and the results are surprisingly revealing. The report considers over 200,000 software applications for an 18-month period, and each application is examined for how many vulnerabilities it has, how often the applications complied with widely accepted security standards, and how often the vulnerabilities were fixed.

The vulnerabilities that Veracode looked for specifically in these software applications included well-known security risks such as code quality, cryptographic issues, information leakage, CRLF injection, cross-site scripting (XSS), directory traversal, insufficient input validation, SQL injection, credentials management, and time and state.

The Results

Divided into verticals, the results from this 2015 State of Software Security Report illustrate the different ways that each vertical is or is not prioritizing top security protocols as well as remediating security vulnerabilities.

The low ranking results of government institutions is what has called the most attention to the study. According to this report, only 24% of government applications comply with the OWASP Top 10 Policy on First Risk Assessment, and only 27% of government application vulnerabilities had been remediated at the end of the 18-month study. This suggests not only that government agencies are not complying with the security standards, but also, even when errors are identified they are still not getting fixed. The fact that government institutions are not remediating the vulnerabilities in their software is a big concern for many, especially since these applications have access to highly sensitive citizen information.

The Take-Away

A big take-away from this study comes down to remediation of vulnerabilities. Even though 80% of healthcare applications were shown to contain cryptographic issues, 43% of them were being remediated at the end of the 18-month study, putting healthcare organizations in higher standing than government organizations. While no single organization can claim perfect security at all times due to the ever-evolving nature of the Internet, remediation efforts can determine the level of trust that an organization deserves. These remediation efforts are an integral component of keeping any web environment secure.

 

Download the full report here.