Public sector apps face widespread security challenges, report reveals

The vast majority of applications developed by public sector organizations over the last year suffered from at least one security flaw, according to a new report that analyzed 750,000 applications developed by the public and private sectors. 

Software security firm Veracode published its annual report on the state of software security this week, which found that nearly 82% of all public sector applications featured a security flaw in their most recent scans, compared to 74% of private sector applications. 

Public sector applications outperformed private sector counterparts in some areas, including a lower percentage of "high severity" flaws. The rate of new flaws introduced in public sector agencies also appeared to decline over time, while they increased in private sector organizations, the report said. 

The differences may be attributed to significant pay disparities between the two sectors, the use of advanced engineering methods and developer churn across the private sector, according to Veracode Chief Research Officer Chris Eng. 

"The private sector certainly has more competitive pay than the public sector, perhaps allowing them to attract better or more experienced developer talent," Eng told Nextgov/FCW. "The private sector may also be more likely to use modern development practices."

However, Eng added that "it is not uncommon for top developers and architects to be pulled over to the next high-profile project" after launching an application in the private sector, while the findings may suggest that public sector organizations typically feature "a less fluid, more stable development team." 

The findings may also suggest that public sector organizations are providing more focused developer training and awareness around high-profile vulnerabilities that can lead to significant exploits, though they still remain more vulnerable to major software supply chain attacks — like the SolarWinds hack — than private sector entities. 

The public sector also suffered from longer turnaround times to fix known flaws than the private sector and demonstrated a lower vulnerability fix rate at just 22%. 

"Training developers to recognize and avoid these types of issues could account for the lower rate of introduction for high severity flaws, but possibly at the expense of other categories," Eng said. 

The report attributed the 30% decline in high-level flaws found in public sector applications over the last year to federal cybersecurity efforts. 

The Cybersecurity and Infrastructure Security Agency has kept a public, updated list of known exploited security flaws in recent years, and the White House has issued multiple executive orders and guidance pushing agencies towards implementing zero trust security frameworks and strategies. 

The report recommends that federal agencies further seek to close the gap in security flaws with automated, consistent scanning, fixing a backlog of known flaws and adding alternative flaw discovery methods like dynamic scanning to their processes in order to pick up on vulnerabilities that other scanning practices can miss.