Applications developed by public sector organisations have more ‘security debt’ than those created by the private sector. Security debt is defined here as flaws in apps that remain unfixed for longer than a year. According to a report by an application risk management product company, such debt exists in most, 59 per cent of applications in the public sector, compared to the overall rate of 42 percent. The research analysed the public sector in more than 25 countries.
Chris Eng, Chief Research Officer at Veracode, said: “Decades of accumulated security debt in unpatched software and poor security configurations, are in the applications that serve our government. Without a systematic and continuous approach to finding and fixing security flaws, the public sector is left dangerously exposed to attacks from hackers.”
According to the report, UK government systems are increasingly under cyber attack, as criminals target the public sector with more damaging and disruptive techniques. In response, the UK Government has set up initiatives on cybersecurity, including efforts to reduce risk in the applications that serve the Government. For example, the Government’s National Cyber Strategy outlines measures on cybersecurity resilience, with objectives that emphasise the importance of secure software development. A Code of Practice for Software Developers is in development, which would see that organisations selling software to UK Government agencies prioritise security and resilience in their design.
Researchers found that while slightly fewer public sector organisations (68 percent) have security debt than other industries (71 percent), they tend to accumulate more of it. Only three per cent of applications are flaw-free, compared to six percent across other industries. Some 40 percent of public sector bodies have what the researchers termed persistent, high-severity flaws that constitute ‘critical’ security debt, which would put the confidentiality, integrity, and availability of businesses at serious risk if exploited.
Eng added: “The good news is that most organisations have the capacity to remediate all critical debt, but risk prioritisation is key. Two-thirds of all flaws in public sector organisations are either less than one year old or are not critical in severity. In addition, less than one percent of all flaws constitute critical security debt. By prioritising that security debt with focused effort, organisations can achieve maximum risk reduction and then move to address non-critical flaws based on their risk tolerance and capabilities.
“The current state of software security in the public sector reinforces the importance of making secure by design a standard approach for the whole network connected world. Our goal with this research is to further support government and industry partners in promoting widespread adoption of these principles.”
For more on ‘security debt’ visit the Veracode blog.
About the report
The Veracode State of Software Security 2024 report analysed data from large and small companies, commercial software suppliers, software outsourcers, and open-source projects. The research draws from a million (1,007,133) applications across all scan types, 1,553,022 dynamic analysis scans, and 11,429,365 static analysis scans. All those scans produced 96 million raw static findings, four million raw dynamic findings, and 12.2 million raw software composition analysis findings. Visit www.veracode.com.
