Report: Government software flawed, rarely fixed

Report: Government software flawed, rarely fixed

Most government software fails basic security screening, a new report finds.  And government agencies lag far behind other sectors when it comes to fixing flaws once they're found.

According to Veracode’s annual software security report just 24 percent of government sector software was found to be compliant -- the lowest rate among seven sectors Veracode studied.  The report suggests that one reason could be government's frequent use of scripting and older languages such as ColdFusion, which can lead to more vulnerabilities.

When it comes to fixing those vulnerabilities, government again had the lowest rate at just 27  percent. Veracode looked 34 industries in all, grouped into seven sectors: government, financial services, healthcare, manufacturing, retail and hospitality, technology and "other."

Government did better when it came to flaw density, which is defined by Veracode as the number of flaws for an application per megabyte of code. Veracode found government software had 63 flaws per megabyte, seven of which were considered serious.  The average across all sectors was 53 flaws per megabyte, with 10 severe flaws per megabyte.  

For the report, Veracode used the Open Web Application Security Project’s list of the top 10 most important vulnerability categories when screening applications.The report also showed that the software used by government agencies is most frequently built with .NET and Java applications. (Those two were the most popular among all seven sectors. ) SQL  injection vulnerabilites, which are the most often exploited in web application attacks according to a Verizon data breach report, have the highest presence in the government sector, according to the Veracode.  

Veracode, an application security company, derives its data from analysis of billions of lines of code from more than 200,000 application scans performed over the past 18 months.

About the Author

Derek Major is a former reporter for GCN.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group