Research Reveals Software Security at Public Sector Organizations Lagging

    Published on:

    • Veracode’s State of Software Security Public Sector 2023 Report Finds Security Flaws in 82% of Government Applications

    • The public sector still outperforms the private sector in some areas

    Burlington, Massachusetts, June 5, 2023–(business wire)–Bellacode, a leading global provider of intelligent software security, today announced research showing that applications developed by public sector organizations tend to have more security flaws than those created by the private sector. This finding is noteworthy because increased application flaws and vulnerabilities correlate with increased risk levels. The research comes amid recent efforts by the federal government to strengthen cybersecurity, including efforts to mitigate vulnerabilities in applications that perform critical government functions.

    Researchers found that just under 82% of applications developed by public sector organizations had at least one security flaw detected in their most recent scan in the last 12 months, compared to 74% of private sector organizations. found to be less than Depending on the type of defect tracked, public sector applications were 7-12% more likely to introduce a defect within the last 12 months.

    “There is a large disparity in the rate at which defects appear in public and private sector applications. Efforts by governments to bridge this gap are necessary and must continue. has a responsibility to bridge this gap and strengthen security, “to protect our nation and our people,” said Chris Eng, chief research officer at Veracord.

    Analysis of data collected from more than 27 million scans across 750,000 applications helped create Veracode’s latest annual report. The State of Software Security. This new report presents public sector-specific results from these scans and applications, including federal, state and local government results.

    Numbers alone can’t tell you what happens when hackers exploit software flaws and vulnerabilities. In early May of this year, a ransomware attack on the city of Dallas hampered functionality that relied on the provision of public services, such as IT systems used by public safety agencies. More than three weeks after the attack, public institutions in Dallas were still not fully restored.

    High Severity Flaws: The Public Sector Wins

    Veracode’s research also found why public sector organizations are optimistic about application security. Public sector applications had a lower rate of “high severity” flaws discovered over the 12-month period (16.5%) than non-public sector applications (19%). This is worth noting because high-severity flaws are more likely to negatively impact your system if they are exploited.

    Modern application testing encourages the use of multiple types of security scanning tools, including static application security testing (SAST) and software composition analysis (SCA). This is because different scan types are better at finding different types of defects. SAST and SCA found application deficiencies in a minority of public sector institutions compared to private sector applications.

    Fewer defects found when using the SCA tool may indicate its early impact. Executive Order of May 2021 (EO 14028) This law directs US federal agencies to step up efforts to protect the software supply chain. The EO also calls for increased use of software bills of materials (SBOMs), which list the building blocks of software, thereby promoting information sharing, transparency, and visibility. Elsewhere, the Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessments for cloud products and services. Similarly, StateRAMP enables state and local governments to validate compliance with cybersecurity policies of cloud service providers.

    “As modern IT systems have evolved and become more complex, the taxonomy of application defects has become more diverse,” says Eng. “That’s why it’s become a best practice to use multiple scans of his type to find and fix defects.”

    An ounce of prevention is worth a pound of cure

    A significant difference between public and private sector applications is the rate at which scans discover new defects in aging software. By the time the software is five years old, his two divisions diverge sharply. The rate of new flaws being introduced in private sector applications will increase, while the rate of introduction will decline in public sector agencies.

    This trend suggests that public sector agencies are becoming more vigilant about keeping applications secure over time, not just in the first few years of their lifecycle. In contrast, non-government applications will slowly and steadily introduce new defects over time.

    The State of Software Security Public Sector 2023 report recommends four actions government agencies can take to improve their cybersecurity posture.

    • Catch up: fix backlog of known defects

    • Scan regularly: Inconsistent scans make it more difficult to fix defects and increase the backlog.

    • Automation: Reduce the introduction of defects into your applications by automating tests via APIs.

    • Add DAST to the Stack: Use dynamic scanning to find defects that other scan types miss.

    “The public sector has come a long way in securing the applications that serve governments, but there is still much work to be done to improve the cyber posture of government agencies and fend off incoming threats. Yes, by focusing security efforts on the root cause, most cyber breaches (application layer) allow government agencies to achieve the necessary improvements. “And by addressing the security debt – the accumulated software vulnerabilities that threaten the security of systems – we pave the way for a more secure future for government agencies,” Eng concluded.

    Complete public sector research Information from the Veracode State of Software Security report is available and provides key comparative indicators across government agencies.

    Here is the full Veracode State of Software Security 2023: Downloadable.

    About the Software Security State Report

    Volume 13 of Veracode’s annual State of Software Security Report examines the historical trends shaping the software landscape and how security practices have evolved along with those trends. This year’s findings are based on complete historical data available from Veracode services and customers, representing data across large and small businesses, commercial software suppliers, software outsourcers, and open source projects. . This report contains findings on applications that have been subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. This report takes into account data provided by Veracode’s customers and information calculated or derived during Veracode’s analysis.

    About Veracode

    Veracode is intelligent software security. The Veracode Software Security Platform continuously detects defects and vulnerabilities at every stage of the modern software development lifecycle. Veracode customers are powered by powerful AI trained by trillions of lines of code to fix defects faster and with greater accuracy. Trusted by security teams, With thousands of developers and business leaders from the world’s leading organizations, Veracode pioneers and continues to redefine what intelligent software security means. Veracode is FedRAMP and StateRAMP accredited Risk and Privilege Management Program.

    Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc., USA and may be registered in certain other jurisdictions. All other product names, brands and logos belong to their respective owners. All other trademarks cited herein are the property of their respective owners.

    View the source version on

    contact address

    Katie Gwilliam


    Leave a Reply

    Please enter your comment!
    Please enter your name here