News Stay informed about the latest enterprise technology news and product updates.

Study: government compliance-based vulnerability remediation is failing

In its State of Software Security Report, Veracode has found the government has the most vulnerabilities and the lowest rate of remediation in developing Web and mobile apps.

A new study of how well various industries build and maintain secure Web and mobile apps has found the U.S. government has the most flaws and the lowest rate of vulnerability remediation.

For volume 6 of its State of Software Security Report, security testing vendor Veracode Inc. looked at data collected over the past 18 months from 208,670 application scans performed by its cloud-based platform. Veracode found its customers had a total of 6.9 million vulnerabilities in its code and fixed 4.7 million. This remediation rate of 70% appears to be an increase from rates found going back to 2006.

"We look at this as heartening data," said Veracode co-founder and CTO Chris Wysopal. "We're showing the trend that people actually can build secure software."

Veracode rated seven industry verticals against the Open Web Application Security Project (OWASP) Top 10 list of most dangerous Web application security flaws. The financial services industry was found to be most compliant to the OWASP Top 10 with a rate of 42%, which Veracode attributed to higher usage of .NET and Java programming languages.

The manufacturing sector came second in OWASP Top 10 compliance (35%), but was by far the best industry in terms of remediating software vulnerabilities, fixing 81% of flaws found. Financial services remediated 65% of vulnerabilities.

"Manufacturing, earlier than almost any other industry, has adopted process improvement methodologies as part of the culture of the business, and has also been a leader in implementing supply chain controls for its critical suppliers," Veracode said in the report. "As the role of supply chain becomes increasingly digital, we look forward to diving deeper to see which practices manufacturing customers find effective at addressing vulnerabilities in their software supply chains."

The U.S. government did not fare so well. Based on the OWASP Top 10, Veracode found the government was 24% compliant and only remediated 27% of flaws that were found.

Wysopal said this was partially related to the use of older coding languages like ColdFusion which are more prone to flaws. The manufacturing industry was found to use ColdFusion at three times the rate of the government, leading to a much higher density of flaws in its code, but that was more than made up for by aggressive fixing of vulnerabilities.

When rating code against the OWASP Top 10, Veracode found the health care industry had much higher rates of cryptographic flaws with 80% of applications having cryptographic issues, including weak encryption algorithms.

The rate of cryptographic flaws in health care may be due to the rush to electronic records and securely encrypting them, according to Wysopal. This could be smoothed out over time because the issues are a matter of improperly implementing the right features.

Veracode found the government had much higher rates of SQL injection and cross-site scripting flaws, but Wysopal said the overall software vulnerability issues for government may not have easy fixes.

"Government is taking a compliance-based approach, not a risk-based approach, and this is a much less secure strategy," Wysopal said. "One of the problems for government is that traditionally it's okay to move slowly, but that doesn't work in the fast-moving Internet era. Moving slowly in security is bad security and means you cannot address current threats."

Dig Deeper on Secure software development