Report: Government software flawed, rarely fixed

Report: Government software flawed, rarely fixed

Most government software fails basic security screening, a new report finds.  And government agencies lag far behind other sectors when it comes to fixing flaws once they're found.

According to Veracode’s annual software security report just 24 percent of government sector software was found to be compliant -- the lowest rate among seven sectors Veracode studied.  The report suggests that one reason could be government's frequent use of scripting and older languages such as ColdFusion, which can lead to more vulnerabilities.

When it comes to fixing those vulnerabilities, government again had the lowest rate at just 27  percent. Veracode looked 34 industries in all, grouped into seven sectors: government, financial services, healthcare, manufacturing, retail and hospitality, technology and "other."

Government did better when it came to flaw density, which is defined by Veracode as the number of flaws for an application per megabyte of code. Veracode found government software had 63 flaws per megabyte, seven of which were considered serious.  The average across all sectors was 53 flaws per megabyte, with 10 severe flaws per megabyte.  

For the report, Veracode used the Open Web Application Security Project’s list of the top 10 most important vulnerability categories when screening applications.The report also showed that the software used by government agencies is most frequently built with .NET and Java applications. (Those two were the most popular among all seven sectors. ) SQL  injection vulnerabilites, which are the most often exploited in web application attacks according to a Verizon data breach report, have the highest presence in the government sector, according to the Veracode.  

Veracode, an application security company, derives its data from analysis of billions of lines of code from more than 200,000 application scans performed over the past 18 months.

About the Author

Derek Major is a former reporter for GCN.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected