14 DAY TRIAL // A report from an application security company assessing application-layer security vulnerabilities used by organizations in different industries shows that government and healthcare entities are ranking last at addressing the issues found.
The study was carried out by Veracode using its cloud-based analysis platform and included industry verticals like manufacturing, financial services, retail and hospitality and technology.
Old programming languages carry part of the blame
According to the State of Software Security report published on Tuesday, government organizations fixed only 27% of the vulnerabilities identified by Veracode’s cloud-based application assessment service, placing this sector at the bottom of the list.
Researchers say that government applications are highly susceptible to SQL injection attacks, and “3 out of 4 public sector applications fail the OWASP Top 10 when first assessed for risk.” This state is explained by many government agencies using older programming languages (e.g. ColdFusion), known to produce more vulnerabilities.
As far as the healthcare sector is concerned, it is higher in the list with 43% of the discovered security issues being fixed, although the figure still places it second-last in the list, after technology industry.
A more worrying aspect is that, following an initial assessment, 80% of the healthcare applications come with weak encryption algorithms, posing a serious risk for the security of the sensitive information entrusted by individuals.
The most prevalent high profile vulnerabilities for these sectors are cryptographic issues in the case of healthcare and cross-site scripting (XSS) in the case of government applications, where SQL injection risk is also the most prevalent compared to all analyzed industry verticals.
Manufacturing industry leads in vulnerability remediation top
At the opposite end regarding vulnerability remediation are the manufacturing and financial services industries, fixing 81% and 65%, respectively, of the flaws uncovered by Veracode.
The top performance from manufacturing vertical can be explained by the implementation of process improvement methodologies and supply chain controls for critical suppliers. “As the role of supply chain becomes increasingly digital, we look forward to diving deeper to see which practices manufacturing customers find effective at addressing vulnerabilities in their software supply chains,” the researchers say.
Taking the first spot in the top 10 vulnerability categories is application code quality, accounting for 80% in healthcare, 70% in government, and 56% in software used in the manufacturing industry.
Majority of apps checked more than once in 18 months
Veracode says that during the period of the study customers used its platform to assess 28% of the applications only once, while the rest of 72% were checked at least twice, most likely to verify if security vulnerabilities had been fixed.
The information in the report is based on 208,670 application assessments carried out between October 1, 2013, and March 31, 2015. Submissions came from large and small companies, commercial software suppliers and open source projects.
