Public sector organizations are drowning in security debt
The public sector is drowning in security debt, according to new research, taking almost a year on average to fix software security flaws.
A new study from Veracode found that public sector bodies need an average of 315 days to fix half their software vulnerabilities — significantly higher than the overall average of 252 days.
Analysis of 1.3 million unique applications and 126.4 million raw findings showed that 78% of public sector organizations have left flaws unaddressed for more than a year. Meanwhile, 55% are living with ‘critical’ security debt, representing long-standing vulnerabilities with severe risk potential.
A third of security flaws in government applications also went unresolved, with 15% persisting for more than five years.
“Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed,” said Chris Wysopal, chief security evangelist at Veracode.
“Our research highlights an urgent need for the public sector to modernize its security practices, especially when it comes to managing risk in open-source software.”
The worst area for public sector security debt is third-party and open-source code: while this accounts for less than 10% of overall security debt, it makes up 70% of critical security debt in government systems.
Veracode warned these flaws take around 50% longer to fix than those in software that’s been developed internally.
“This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies,” said Wysopal.
“Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed. As the use of AI-generated code increases across organizations, comprehensive open source analysis is more essential than ever to prevent hidden flaws from slipping through.”
There’s huge variation between the best- and worst-performing public sector bodies, according to Veracode.
In the top 25%, just a third (33%) of apps have flaws, compared with 100% of the worst-performing 25%. There’s security debt in fewer than 26% of apps, compared with 85%; and leading organizations manage to fix 9% of flaws per month, compared with just 0.1% for those trailing behind.
Top performers resolve half of their flaws within 3.3 months, while the bottom quarter take more than 11 months for similar results.
“The disparity between top- and bottom-performing government organizations is striking and raises important questions about the factors that make a material difference to security posture,” said Wysopal.
“This data provides public sector security teams with a clear framework to assess their maturity, identify gaps, and improve their performance based on the practices of top-performing agencies.”
Researchers recommended that public sector organizations implement risk-based prioritization, deploying context-driven security posture management capabilities that pull together multiple security tools and data sources.
Meanwhile, they should establish continuous scanning and developer enablement across the complete software development lifecycle. The most cost-effective and impactful AppSec investment is proactive identification of flaws, the researchers said.
“In today’s threat landscape, security debt is no longer an acceptable risk,” said Wysopal.
“With the right focus, metrics, and automation, public sector agencies can take control of their software risk and build resilience into every release.”
MORE FROM ITPRO
Source link
