59% of public sector applications have long-term security vulnerabilities

According to Veracode, applications developed by public sector organizations have a greater security debt than those developed by the private sector.

Paper debt, defined in this report as defects that remain unrepaired for more than a year, occurs in 59% of public sector applications, compared to an overall rate of 42%. The study analyzed public sector organizations in over 25 countries around the world.

“Decades of accumulated security debt in unpatched software and poor security configurations are reflected in the applications that serve our government,” said Chris Eng, research director at Veracode. “Without a systematic and continuous approach to finding and remediating security vulnerabilities, the public sector is dangerously vulnerable to hacker attacks.”

Federal government systems face increasing threats from cyberattacks

Federal government systems are increasingly subject to cyberattacks as malicious criminals target public sector organizations using more harmful and destructive techniques. In response, the federal government is pushing a number of initiatives to strengthen cybersecurity, including efforts to reduce risk in government-serving applications.

In March 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) released the Secure Software Development Attestation Form to hold vendors accountable to the federal government for insecure software.

Veracode researchers found that while slightly fewer public sector organizations (68%) have collateral debt than other industries, they tend to accumulate more of it. Only 3% of applications are defect-free, compared to 6% in other industries.

Even more worryingly, 40% of public sector entities have high-severity persistent deficiencies that constitute “critical” security debt that, if exploited, would seriously compromise enterprise confidentiality, integrity and availability.

“The good news is that most organizations can pay off all critical debts, but prioritizing risk is key,” said Eng. “Two-thirds of all defects in public sector organizations are less than a year old or non-critical. Additionally, less than 1% of all defects constitute critical security debt. By prioritizing this debt securities with a focused effort, organizations can achieve maximum risk reduction and then address non-critical flaws based on their risk tolerance and capabilities.”

Public sector security debt is mainly focused on legacy applications

According to the report, security debt in the public sector primarily impacts first-party code (93%), but most critical security debt comes from third-party dependencies (55.5%).

This reinforces the importance of the Open Source Security Software Initiative (OS3I), an interagency working group focused on ensuring that open source software is “as secure and sustainable as it is open.” It also highlights the need for organizations to focus on both first-party and third-party code to effectively reduce collateral debt.

The analysis further shows that public sector collateral debt is primarily concentrated in older, larger applications (22%). This is especially true for critical securities debt (30%), which confirms the correlation between the age of application and the accumulation of security debt.

Researchers also compared the security debt profile for different programming languages ​​and found that Java and .NET applications stand out as significant sources of debt in the public sector.

“The current state of software security in the public sector reinforces the importance of ensuring security from the very beginning as a standard approach for the entire networked world,” concluded Eng. “We applaud CISA’s recent announcement of the Secure by Design declaration and are proud to be one of the first signatories. Our goal with this research is to continue to support our government and industry partners in promoting widespread adoption of these principles.”