The company saw a high level of legacy code use in the manufacturing sector as well, but by comparison, those companies patched 80 percent of their application flaws. That vulnerability remediation rate was even higher than that of financial services companies, which are a primary target for hackers and are typically more diligent.
Another important aspect that contributes to the problem is that the government's approach to security is very compliance oriented instead of being based on assessing risk.
Government organizations wait for orders from the Government Accountability Office or are implementing standards from the National Institute of Standards and Technology, and this means that their security is moving very slowly because those regulations take many years to change, Wysopal said.
Meanwhile, the field of application security has rapidly grown in prominence over the past five years with the rise of Web and mobile applications. These applications allow organizations to provide valuable new services, but at the same time add a lot of risks and need to be covered by their security programs, he said.
There's also a lack of sanctions for government organizations, according to Wysopal. By comparison, healthcare or financial organizations have to follow strict data protection rules and risk serious fines if their sensitive customer information is compromised.
"Who's getting fined for the recent breach at the Office of Personnel Management that exposed information on millions of current and former federal employees?" Wysopal said. "Nobody, because the government doesn't really hold itself accountable like it holds others."
Another aspect that plays into the poor state of application security inside government organizations is that most of the applications they use are either purchased from third-parties or are developed by outsourcing firms. Veracode's data shows that less than one in three commercial applications that were purchased by organizations from third-party software suppliers were compliant with the OWASP Top 10 when first tested.
Outsourcing software development is not a problem per se, as financial services or manufacturing companies rely heavily on this practice too, Wysopal said. However, those companies have better application security because they have requirements in place for their software suppliers, such as mandatory third-party security testing or compliance with certain security standards. "We don't see that inside the government," he said.
This should serve as a wake-up call to everybody, Wysopal said. Organizations should look at their software supply chains, put security requirements in their contracts and test the applications they're getting so they can hold vendors accountable, he said.
When it comes to vulnerability remediation Veracode found that many companies don't fix some of the flaws found in their applications because they lack people with application security expertise. Because of that, the vulnerability reports keep piling up and never get fixed.
Sign up for MIS Asia eNewsletters.