Survey Finds Government Application Security Wanting

Veracode compiled data on application scans covering 18 months in its State of Software Security report.
Veracode compiled data on application scans covering 18 months in its State of Software Security report.

In-brief: A survey of web and mobile applications by the firm Veracode finds that governments are the most likely to use insecure software, as measured against the OWASP (Open of Web Application Security Project) Top 10.

A survey of web and mobile applications by the firm Veracode finds that governments are the most likely to use insecure software, as measured against the OWASP (Open of Web Application Security Project) Top 10.

The 2015 State of Software Security report – the first the company has released in a number of years –  reveals that web and mobile applications produced or used by government organizations are more likely than those in other industries to fail standard security policies like the OWASP Top 10.

[Read more Security Ledger coverage of Application Security here.]

Veracode collected data from 208,670 application scans performed using the company’s cloud-based platform over a period of 18 months.

 

Applications used by government organizations were found to be free of vulnerabilities on the OWASP Top 10 test 24 percent of the time on their first scan using Veracode’s platform, using static code analysis,  dynamic code analysis and manual penetration testing. In contrast, applications used by financial services firms passed the OWASP Top 10 test 42% of the time, Veracode said.

Still, applications used by government organizations were merely the lowest of a group of low performers. Financial services applications were generally found to be the most secure, out of the box. The next best performing vertical was manufacturing, where just 34% of applications tested passed the OWASP Top 10 on their first try. In retail, the number was just under 30%.

“Across our entire data set, we see a low pass rate for the OWASP Top 10 policy,” Veracode concluded.

Regulatory mandates and the use of so-called “continuous improvement processes” may be behind the financial service industry’s higher performance on the test. The low pass rate in government may be attributable to a lack of overarching regulations governing application security, as well as a higher use of scripting languages and older languages, Veracode concluded.

 

The report contains some other Alice-in-Wonderland revelations: commercially developed software was actually less secure than software developed in-house. Healthcare industry applications had a much lower “flaw density” (a measure of the average risk per unit of software) than applications in the technology sector.

Veracode notes that the performance is dependent on a number of factors – notably: the languages used to develop applications, which varies greatly from industry vertical to industry vertical. The manufacturing industry, for example, has a disproportionately high share of ColdFusion applications, resulting in the highest “flaw density” of any vertical, while the technology industry has a disproportionately high share of C/C++ applications.