Report: Government software flawed, rarely fixed

Report: Government software flawed, rarely fixed

Most government software fails basic security screening, a new report finds.  And government agencies lag far behind other sectors when it comes to fixing flaws once they're found.

According to Veracode’s annual software security report just 24 percent of government sector software was found to be compliant -- the lowest rate among seven sectors Veracode studied.  The report suggests that one reason could be government's frequent use of scripting and older languages such as ColdFusion, which can lead to more vulnerabilities.

When it comes to fixing those vulnerabilities, government again had the lowest rate at just 27  percent. Veracode looked 34 industries in all, grouped into seven sectors: government, financial services, healthcare, manufacturing, retail and hospitality, technology and "other."

Government did better when it came to flaw density, which is defined by Veracode as the number of flaws for an application per megabyte of code. Veracode found government software had 63 flaws per megabyte, seven of which were considered serious.  The average across all sectors was 53 flaws per megabyte, with 10 severe flaws per megabyte.  

For the report, Veracode used the Open Web Application Security Project’s list of the top 10 most important vulnerability categories when screening applications.The report also showed that the software used by government agencies is most frequently built with .NET and Java applications. (Those two were the most popular among all seven sectors. ) SQL  injection vulnerabilites, which are the most often exploited in web application attacks according to a Verizon data breach report, have the highest presence in the government sector, according to the Veracode.  

Veracode, an application security company, derives its data from analysis of billions of lines of code from more than 200,000 application scans performed over the past 18 months.

About the Author

Derek Major is a former reporter for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected