Government, Healthcare Particularly Lackluster In Application Security

Healthcare organizations and government agencies still continue to struggle with application security, leaving as much as 73 percent of their identified vulnerabilities unremediated in some instances, according to a new study.

The silver lining is that across industries, the work of reducing risk in software is accelerating and many organizations are making headway in fixing their software flaws, according to the new State of Software Security Report released by Veracode today. 

"It may be tempting in the face of repeated breaches--OPM, Target and Sony--to throw up one’s hands, not to bother building secure applications, and to give up on fixing vulnerabilities in the applications you’ve already deployed," says Chris Wysopal, CTO and CISO of Veracode, in the report. "The data in this report clearly shows that, by addressing the problem systematically and at scale, enterprises can significantly reduce application risk."

In the wake of the OPM breach, it probably won't come as a surprise to many that government organizations fare the worst in many key metrics of application security. For example, only 24 percent of government applications pass OWASP Top 10 compliance upon their first assessment, a rate that's half as effective as the financial services industry. And only 27 percent of government flaws identified in an initial assessment are fixed in subsequent assessments, compared to 81 percent for manufacturing and 65 percent for financial services.

Healthcare also fared poorly in several key areas. For example, only 43 percent of known vulnerabilities are remediated by healthcare organizations. And most troubling, 80 percent of healthcare applictiaions exhibit cryptographic issues such as weak algorithms. This is concerning given the sensitivity of health data and the push toward electronic health records.

Meanwhile, across all industries, Veracode found applications were suffering from software supply chain issues. It found that three-quarters of applications produced by third-party software vendors fail the OWASP Top 10 at initial assessment. That jibes with a study done last week by Sonatype conducted among 106,000 organizations, finding that many of the third-party and open source components that organizations lean on in the development process are not tracked and are embedded into enterprise software with known vulnerabilities. Approximately 59 percent of known vulnerabilities on these dependencies remain unfixed, according to Sonatype.

The positive news is that according to Veracode, headway is being made on application security issues, albeit gradually. The rate at which found vulnerabilities are fixed has increased by 10 percentage points across all industries since 2006, from 60 percent at that time to 70 percent now.