Reliance on outdated programming languages has hamstrung government security, according to the IT security company Veracode’s 2015 State of Software Security Report. That study is divided into seven vertical markets – government, financial services, retail and hospitality, technology, manufacturing, healthcare and other·
The government ranks last among vertical markets, with three out of four government applications failing the OWASP Top 10 when initially assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion which are known to produce more vulnerabilities. Government bodies only remediate 27 percent of application vulnerabilities once detected – last among the seven vertical markets analysed. Moreover, government applications have the highest prevalence of SQL Injection vulnerabilities – commonly used to steal sensitive data from databases – upon initial assessment. In contrast, financial services and manufacturing ranked best across most categories, with healthcare, retail and hospitality near the bottom, it is claimed. The report also found:
The financial services and manufacturing industries’ attention to software security pays off. In contrast to the government sector, organisations in financial services and manufacturing more proactively remediate the majority of their vulnerabilities (65 and 81 percent respectively). These results appear to indicate a higher institutional awareness of application security risk and a stronger emphasis on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes.
Healthcare organisations fare poorly. Given the large amount of sensitive data collected by healthcare organisations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. In addition, healthcare fares near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.
Significant risk is introduced by the software supply chain. Nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.
The data also suggests that remediation coaching services have a big impact on reducing application-layer risk.
Chris Wysopal, Veracode CISO and CTO, said: “Every industry faces the challenge of securing web and mobile applications – which are continuously growing in both volume and complexity – across disparate and geographically-distributed development teams. In 2014, we helped our customers identify and remediate 4.7 million vulnerabilities, significantly reducing enterprise risk. This report clearly shows that industries that ‘get it’ have been able to achieve substantial success while others still struggle to manage the problem at scale.”
