Government

Veracode, a global leader in application risk management, has released its latest research indicating that public sector applications face significantly higher security debt compared to those in the private sector. The "State of Software Security Public Sector 2024" report highlights that 59% of government applications contain flaws that have been left unfixed for over a year, compared to 42% across all sectors. This extensive study examined public sector organizations in over 25 countries.

"Decades of accumulated security debt in unpatched software and poor security configurations are present in applications serving our government," stated Chris Eng, Chief Research Officer at Veracode. "Without a systematic and continuous approach to finding and fixing security flaws, the public sector remains dangerously exposed to cyberattacks."

Federal government systems are increasingly targeted by cybercriminals employing more damaging and disruptive techniques. In response, federal initiatives are underway to enhance cybersecurity, including efforts to mitigate risks in government-serving applications. In March 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) introduced the Secure Software Development Attestation Form to hold federal software providers accountable for security shortcomings.

Veracode's findings reveal that while 68% of public sector organizations have security debt, slightly fewer than other industries (71%), they tend to accumulate more of it. Only 3% of public sector applications are flaw-free, compared to 6% in other industries. Alarmingly, 40% of public sector entities possess persistent, high-severity flaws constituting 'critical' security debt, which jeopardizes business confidentiality, integrity, and availability if exploited.

"The good news is that most organizations can remediate all critical debt, but risk prioritization is key," Eng noted. "Two-thirds of all flaws in public sector organizations are less than a year old or not critically severe. Furthermore, less than one percent of all flaws constitute critical security debt. By focusing efforts on critical security debt, organizations can achieve maximum risk reduction and then address non-critical flaws based on their risk tolerance and capabilities."

The report indicates that security debt in the public sector primarily affects first-party code (93%), though most critical security debt originates from third-party dependencies (55.5%). This highlights the importance of the Open Source Security Software Initiative (OS3I), an inter-agency effort to ensure the security and sustainability of open-source software. Organizations need to focus on both first- and third-party code to effectively reduce security debt.

Security debt is concentrated in older, larger applications (22%), particularly for critical security debt (30%), suggesting a correlation between application age and security debt accumulation. The research also identified Java and .NET applications as significant sources of debt in the public sector.

"The current state of software security in the public sector underscores the necessity of making 'secure by design' a standard approach for our interconnected world," Eng concluded. "We applaud CISA’s recent Secure by Design Pledge and are proud to be one of its inaugural signatories. Our aim with this research is to support our government and industry partners in promoting the widespread adoption of these principles."

• Tags
• #Business
• #Magazine
• #Lifestyle