Government Sector Ranked Last in Remediating Web and Mobile Application Vulnerabilities

Veracode’s 2015 State of Software Security Report benchmarks risk profile for 34 industries across seven vertical markets

BURLINGTON, Mass. — June 23, 2015 Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, today released the 2015 State of Software Security report that reveals concerning benchmark analytics from its cloud-based platform. The reports shows that web and mobile applications  produced or used by government organizations are more likely than those in other industries to fail standard security policies like the OWASP Top 10 when initially assessed for risk.

Veracode’s analytics also show that government organizations only remediate 27 percent of application vulnerabilities once detected — last among the seven vertical markets analyzed. Moreover, government applications have the highest prevalence of SQL Injection vulnerabilities — commonly used to steal sensitive data from databases — upon initial assessment. In contrast, financial services and manufacturing ranked best across most categories, with healthcare, retail and hospitality near the bottom.

As organizations increasingly rely on software to drive their businesses, the threat surface available to cyberattackers has dramatically expanded. As a result, one of the leading causes of data breaches over the past two years has been vulnerable applications, according to Verizon’s 2015 Data Breach Investigations Report. Yet, analytics collected from more than 200,000 application risk assessments over the last 18 months found a wide disparity in how the problem is addressed across industries.

Organized into seven vertical markets for simplified benchmarking — government, financial services, retail and hospitality, technology, manufacturing, healthcare and other — Veracode’s 2015 State of Software Security Report reveals that:

  • Reliance on outdated programming languages has hamstrung government security. The government ranks last among vertical markets, with three out of four government applications failing the OWASP Top 10 when initially assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion which are known to produce more vulnerabilities.
  • The financial services and manufacturing industries’ attention to software security pays off.  In contrast to the government sector, organizations in financial services and manufacturing more proactively remediate the majority of their vulnerabilities (65 and 81 percent respectively). These results appear to indicate a higher institutional awareness of application security risk and a stronger emphasis on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes.
  • Healthcare organizations fare poorly. Given the large amount of sensitive data collected by healthcare organizations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. In addition, healthcare fares near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.
  • Significant risk is introduced by the software supply chain.  Nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.

Significant Impact of Remediation Coaching Services

The data also shows that remediation coaching services have a big impact on reducing application-layer risk. Development organizations that leverage Veracode’s remediation coaching services improve the security of their code by a factor of two and a half times compared to those that choose to do it on their own. Delivered by world-class security and development experts, these on-demand services help developers understand secure coding practices and remediate vulnerabilities more quickly and efficiently.  

“Every industry faces the challenge of securing web and mobile applications — which are continuously growing in both volume and complexity — across disparate and geographically-distributed development teams,” said Chris Wysopal, Veracode CISO and CTO.  “In 2014, we helped our customers identify and remediate 4.7 million vulnerabilities, significantly reducing enterprise risk. This report clearly shows that industries that ‘get it’ have been able to achieve substantial success while others still struggle to manage the problem at scale.”

Enhanced Analytics for Improved Risk Visibility

To help customers address the challenge of benchmarking disparate development teams and drive continuous improvement across both in-house and externally-sourced code, Veracode has recently enhanced its built-in security analytics capabilities with a new business intelligence (BI) engine. The new analytics engine — integrated with Veracode’s central cloud-based platform — gives customers an instant view of their risk posture and the current status of their global application security programs.

In particular, the self-service data mart can be queried to provide customizable views of key metrics such as scanning volume, compliance with corporate policies, and remediation status, simplifying the creation of management-level dashboards.  Built-in comparison charts allow benchmarking by business unit or development team; by severity of vulnerabilities and business criticality of applications; and by third-party software vendor.

The new analytics capability also makes it easier for multiple stakeholders across the organization — including management, security, development and internal audit professionals — to collaborate and share information using consistent policies and metrics, to drive towards better software security.

The full State of Software Security report can be found at: