Report: Government software flawed, rarely fixed
- By Derek Major
- Jun 23, 2015
Most government software fails basic security screening, a new report finds. And government agencies lag far behind other sectors when it comes to fixing flaws once they're found.
According to Veracode’s annual software security report just 24 percent of government sector software was found to be compliant -- the lowest rate among seven sectors Veracode studied. The report suggests that one reason could be government's frequent use of scripting and older languages such as ColdFusion, which can lead to more vulnerabilities.
When it comes to fixing those vulnerabilities, government again had the lowest rate at just 27 percent. Veracode looked 34 industries in all, grouped into seven sectors: government, financial services, healthcare, manufacturing, retail and hospitality, technology and "other."
Government did better when it came to flaw density, which is defined by Veracode as the number of flaws for an application per megabyte of code. Veracode found government software had 63 flaws per megabyte, seven of which were considered serious. The average across all sectors was 53 flaws per megabyte, with 10 severe flaws per megabyte.
For the report, Veracode used the Open Web Application Security Project’s list of the top 10 most important vulnerability categories when screening applications.The report also showed that the software used by government agencies is most frequently built with .NET and Java applications. (Those two were the most popular among all seven sectors. ) SQL injection vulnerabilites, which are the most often exploited in web application attacks according to a Verizon data breach report, have the highest presence in the government sector, according to the Veracode.
Veracode, an application security company, derives its data from analysis of billions of lines of code from more than 200,000 application scans performed over the past 18 months.
Derek Major is a former reporter for GCN.