After breaking down application security trends by industry, a security firm found that the government sector ranked lowest in remediating known vulnerabilities.
According to Veracode's “State of Software Security” report (PDF) released in June, government organizations “are not sufficiently addressing remediation,” as only 27 percent of flaws identified by the company's cloud-based platform were addressed. Included in the dataset were more than 208,000 application assessments which were analyzed over an 18-month period ending March 31, 2015.
Other industries analyzed were manufacturing, financial services, retail and hospitality, technology and healthcare – where 43 percent of application vulnerabilities similarly remained open.
The report noted, however, that “last among all industry sectors” was the government vertical.
“…Government applications have the highest prevalence of SQL injection, and 3 out of 4 public sector applications fail the OWASP Top 10 when first assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion, which are known to produce more vulnerabilities,” the report said.
The OWASP Top 10 is a list of the most critical web application security risks as determined by the Open Web Application Security Project (OWASP), a security community with over 42,000 members.
In addition, Veracode's analysis found that the government sector also held the lowest “pass rate” in complying with the OWASP Top 10 policy (during Veracode's initial risk assessment). The company also point out that, during the first risk assessment, it saw a low compliance pass rate across its entire data set.
While the government sector was in compliance only 24 percent of the time, applications used by financial services organizations (which held the highest compliance rate) earned an OWASP Top 10 compliance pass rate of only 42 percent. Again, Veracode said that the government sector's compliance issues might “partially be explained by the higher use of scripting languages and older languages,” like ColdFusion.
In order to help organizations better remediate vulnerabilities affecting web applications, Veracode advised entities to take advantage of remediation coaching, in which security experts can explain the testing process, review findings and help organizations formulate a remediation and risk mitigation plan. Veracode's report also highlighted the top three vulnerability categories within the government vertical: code quality flaws, cryptographic issues, and information leakage bugs.