Government organizations are struggling when it comes to securing the computer software they use, which could partially explain the large data breaches reported in that sector over the past several years.
Three out of four applications used by government organizations are not compliant with one of the primary software security policies and most of the flaws found in them never get fixed, according to a report released Tuesday by U.S.-based application security firm Veracode.
The report is based on an analysis of more than 200,000 applications over the past 18 months that are used by organizations in various industries. The tests were performed using Veracode's cloud-based application security testing platform that uses static analysis, dynamic analysis and manual penetration testing techniques.
The company found that only 24 percent of applications submitted for review by government customers were compliant with the OWASP Top 10, a list of the top 10 most common types of vulnerabilities for Web applications, complete with explanations of the risks they pose, code examples and guidance on how to avoid them. The OWASP Top 10 is referenced by many other standards, including the Payment Card Industry Data Security Standard (PCI DSS).
By contrast, applications from the financial services sector had an OWASP Top 10 compliance rate of 42 percent, those from the manufacturing sector, 35 percent, and those used by technology companies, 32 percent. Applications used in the health care and the retail and hospitality sectors had a compliance rate of 31 and 30 percent, respectively -- both of these sectors having been plagued by large data breaches in recent years.
There are multiple reasons why the government is scoring badly on application security, according to Chris Wysopal, the chief technology officer of Veracode. These include the government's use of old scripting and programming languages, its failure to self regulate and its failure to impose security requirements on its software suppliers.
The government sector still uses a lot of legacy code written in languages like ColdFusion or Classic ASP that were popular in the 1990s, Wysopal said. Other industries have moved away from those and are now largely focusing on languages like .NET or Java that are faster, and where it's harder to make certain errors, he said.
In other industry sectors like financial services there's strong competition between companies, which drives them to modernize their systems and applications, but that competitive pressure doesn't exist inside the government, Wysopal said.
Using older programming languages wouldn't be such a big problem if the government would routinely fix the identified flaws. Sadly, Veracode's data shows that the government's remediation rate for flaws found in its applications is only 27 percent.
Sign up for MIS Asia eNewsletters.