Government ranks last in fixing software security holes

Three-quarters of all government Web and mobile applications fail their initial security reviews, making it the worst-performing vertical — and government agencies are also the slowest at fixing vulnerabilities, according to a new report released today by Veracode.

The report covers more than 200,000 applications analyzed over the past 18 months by the company. According to Chris Wysopal, CTO and CISO at Veracode, the application could be newly-written software, or legacy applications being sent to Veracode for the first time.

The applications are scanned for the most common security flaws, such as SQL injections, cross-site scripting, weak cryptography, using components with known vulnerabilities, missing access controls and broken authorization.

But the initial testing is only the first step of the process. Veracode also looks at what percentage of these vulnerabilities were fixed as of March, Wysopal said, based on a follow-up assessment of the same code.

“We see that government is way down on the list,” he said. “They’re only fixing 27 percent of the issues we’re telling them about.”

[ ALSO ON CSO: Government security workers have a big data problem ]

The financial sector does the best in the initial testing, with 42 percent of applications passing on the first round, following by manufacturing at 35 percent.

Financial services companies also do a good job with remediation, fixing 65 percent of the security flaws. But manufacturing does even better, fixing 81 percent of the problems.

“Manufacturing comes out as the industry that’s taking security most seriously,” said Wysopal.

Chris Wysopal, CTO and CISO at Veracode

A possible reason could be that manufacturing has adopted processing improvement methodologies earlier than other industries as part of their business culture. This sector has also been a leader in implementing supply chain controls for its critical suppliers.

The latter is particularly important when it comes to software vulnerabilities because, according to Veracode’s security scans, third-party software scores significantly worse than software developed in-house.

“The software you’re purchasing from your commercial vendor is as bad as the software the government is producing for its own use,” said Wysopal. “And that should scare people.”

On average, 37 percent of internally-developed code passed the initial review, compared to 28 percent of commercial code.

“The top commercial vendors are actually pretty good,” he said. “But when you look at the hundreds and hundreds of small software providers, a lot of them aren’t doing anything when it comes to testing for security flaws.”

In addition to grading applications on a pass-fail basis, Veracode also calculated the average flaw density of applications, in terms of number of flaws per line of code.

Flaw density has more to do with the choice of programming language, said Wysopal.

“We tend to see higher vulnerabilities in older languages,” he said.

Here, manufacturing scored the worst, with four times the flaw density of the next-highest vertical, technology.

“Manufacturing is skewed by the older code base,” he said.

This is the fifth year that Veracode has produced this report, but the first year in which the report was organized by industry vertical, so historical trend data isn’t yet available.

However, the overall trend is that things are slowly getting better, said Wysopal. “But not dramatically.”