Government and Education Have the Highest Percentage of Apps With Security Flaws

It’s been a stressful year, to say the least, for the government and education sector. Government organizations were challenged with pivoting their operations to a digital model while schools were forced to decide between hybrid or remote learning programs for their students.

The rise of digital operations has made application security (AppSec) more important than ever. But, in our recent State of Software Security v11 (SOSS) report, we found that compared to other industries, the government and education sector has the highest percentage of applications with security flaws, the second-slowest fix rate, and the second-longest median time to fix flaws.

How can the government and education sector improve its fix rate and half-life?

For this year’s SOSS report, we looked at how “nature” and “nurture” contribute to the time it takes to close out a security flaw. We found that the “nature” of applications – size, age, and flaw density – can have a negative effect on how long it takes to remediate a security flaw. But we also found that “nurturing” the security of applications – using DAST with SAST, frequent scanning, using SAST through API’s, steady scan cadence, and using SCA with SAST – can have a positive effect on how long it takes to remediate security flaws.

When looking at the “nature” of government and education applications, it’s a bit of a mixed bag. Compared to other industries, government and education have the youngest applications and the smallest organizations – both of which are positive attributes. But, on the other hand, government and education applications are fairly large and have the highest flaw density.

In terms of “nurturing,” the government and education sector scan more frequently and use APIs more often than other industries. But the sector has the lowest ranking for use of DAST and scan cadence and a middle-of-the-road ranking for SCA.

In order to improve its median time to flaw remediation and increase its fix rate, the government and education sector needs to start using DAST and SCA more frequently and improve its scan cadence (which should help eliminate security debt). Just using some DevSecOps best practices will not move the needle.

Which flaws should the government and education sector keep an eye on?

In the government and education sector, 80 percent of applications have security flaws. Of those flaws, we found that Cross-Site Scripting (XSS) and input validation are especially high in the government and education sector when compared to other industries. On a positive note, we found the sector to have a lower-than-average prevalence of CRLF injection flaws. It’s important to understand the flaw types affecting your organization and to set rules regarding which flaws should be remediated first.

To learn more about the security trends in the government and education sector, download The State of Software Security  Industry Snapshot: Government and Education.