The government is falling behind on application security

Three out of four government applications fail the OWASP Top 10 and the government is slacking off on fixing flaws, Veracode found

Top 10 application vulnerability categories by industry vertical

Top 10 application vulnerability categories by industry vertical

Government organizations are struggling when it comes to securing the computer software they use, which could partially explain the large data breaches reported in that sector over the past several years.

Three out of four applications used by government organizations are not compliant with one of the primary software security policies and most of the flaws found in them never get fixed, according to a report released Tuesday by U.S.-based application security firm Veracode.

The report is based on an analysis of more than 200,000 applications over the past 18 months that are used by organizations in various industries. The tests were performed using Veracode's cloud-based application security testing platform that uses static analysis, dynamic analysis and manual penetration testing techniques.

The company found that only 24 percent of applications submitted for review by government customers were compliant with the OWASP Top 10, a list of the top 10 most common types of vulnerabilities for Web applications, complete with explanations of the risks they pose, code examples and guidance on how to avoid them. The OWASP Top 10 is referenced by many other standards, including the Payment Card Industry Data Security Standard (PCI DSS).

By contrast, applications from the financial services sector had an OWASP Top 10 compliance rate of 42 percent, those from the manufacturing sector, 35 percent, and those used by technology companies, 32 percent. Applications used in the health care and the retail and hospitality sectors had a compliance rate of 31 and 30 percent, respectively -- both of these sectors having been plagued by large data breaches in recent years.

There are multiple reasons why the government is scoring badly on application security, according to Chris Wysopal, the chief technology officer of Veracode. These include the government's use of old scripting and programming languages, its failure to self regulate and its failure to impose security requirements on its software suppliers.

The government sector still uses a lot of legacy code written in languages like ColdFusion or Classic ASP that were popular in the 1990s, Wysopal said. Other industries have moved away from those and are now largely focusing on languages like .NET or Java that are faster, and where it's harder to make certain errors, he said.

In other industry sectors like financial services there's strong competition between companies, which drives them to modernize their systems and applications, but that competitive pressure doesn't exist inside the government, Wysopal said.

Using older programming languages wouldn't be such a big problem if the government would routinely fix the identified flaws. Sadly, Veracode's data shows that the government's remediation rate for flaws found in its applications is only 27 percent.

The company saw a high level of legacy code use in the manufacturing sector as well, but by comparison, those companies patched 80 percent of their application flaws. That vulnerability remediation rate was even higher than that of financial services companies, which are a primary target for hackers and are typically more diligent.

Another important aspect that contributes to the problem is that the government's approach to security is very compliance oriented instead of being based on assessing risk.

Government organizations wait for orders from the Government Accountability Office or are implementing standards from the National Institute of Standards and Technology, and this means that their security is moving very slowly because those regulations take many years to change, Wysopal said.

Meanwhile, the field of application security has rapidly grown in prominence over the past five years with the rise of Web and mobile applications. These applications allow organizations to provide valuable new services, but at the same time add a lot of risks and need to be covered by their security programs, he said.

There's also a lack of sanctions for government organizations, according to Wysopal. By comparison, healthcare or financial organizations have to follow strict data protection rules and risk serious fines if their sensitive customer information is compromised.

"Who's getting fined for the recent breach at the Office of Personnel Management that exposed information on millions of current and former federal employees?" Wysopal said. "Nobody, because the government doesn't really hold itself accountable like it holds others."

Another aspect that plays into the poor state of application security inside government organizations is that most of the applications they use are either purchased from third-parties or are developed by outsourcing firms. Veracode's data shows that less than one in three commercial applications that were purchased by organizations from third-party software suppliers were compliant with the OWASP Top 10 when first tested.

Outsourcing software development is not a problem per se, as financial services or manufacturing companies rely heavily on this practice too, Wysopal said. However, those companies have better application security because they have requirements in place for their software suppliers, such as mandatory third-party security testing or compliance with certain security standards. "We don't see that inside the government," he said.

This should serve as a wake-up call to everybody, Wysopal said. Organizations should look at their software supply chains, put security requirements in their contracts and test the applications they're getting so they can hold vendors accountable, he said.

When it comes to vulnerability remediation Veracode found that many companies don't fix some of the flaws found in their applications because they lack people with application security expertise. Because of that, the vulnerability reports keep piling up and never get fixed.

Companies have understood that they need to do more application security testing, but they're having trouble solving the problems they find, Wysopal said. Companies should definitely invest in application security training for their developers, but in the meantime they can also look externally to security companies that can provide assistance on fixing application flaws as a service, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityVeracodedata breachExploits / vulnerabilitiesdata protectionCompliance monitoring

More about Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place