We recently launched the 12th annual edition of our State of Software Security (SOSS) report. To draw conclusions for the report, we examined the entire history of active applications. For the public sector data, we took the same approach. We examined the entire history of applications for government agencies and educational institutions.
We found that the public sector has the highest proportion of security flaws of any industry. On average, most industries have flaws in approximately 76 percent of their applications – but that number is 8 percent higher for the public sector at 82 percent.
As you’ll see in the figure above, the public sector also has a lower-than-average proportion of flaws actually fixed, and it takes significantly longer to remediate flaws.
Let’s dig a bit deeper into the remediation of open-source flaws. Remediating open-source flaws appears to take a while for every industry. In fact, for most industries, 30 percent of vulnerable libraries remain unresolved after two years. But for the public sector, that statistic doubles to almost 60 percent.
The high proportion of flaws and slow fix rate could be attributed to the public sector’s continued use of legacy software or a lack of proper funding for application security. But it can’t be ignored that the public sector is making an effort to prioritize high-severity flaws.
The number of high severity flaws has decreased by 30 percent in the last year alone. Is this the result of the Executive Order outlining security requirements for vendors selling software to the U.S. government? Are increased threats from remote operations and Covid-19 causing the public sector to keep a closer eye on high-severity flaws? It’s hard to say. But we do know that prioritizing the fix of high-severity flaws is a step in the right direction for the public sector.
The public sector also has lower-than-average flaws in two of its three most popular programming languages – Java and JavaScript. Most industries have flaws in approximately 44.3 percent of their Java applications, but the public sector only has flaws in one-third of its Java applications. For JavaScript, most industries have flaws in approximately 13.8 percent of their applications, but the public sector is slightly lower with 10.2 percent.
To learn more about our findings, please check out our video and infosheet, The State of Software Security Industry Snapshot.