A new report released by application security firm Veracode revealed this week that practically every industry failed to meet sector-specific standard security testing of web and mobile applications being used for business processes. However, government agencies did the worst on the tests by far, with less than one-quarter of applications passing. The next worst performing industry was retail and hospitality, with 30 percent of applications in compliance with regulatory standards.
What many security experts found to be more concerning than the lack of secure applications being used by government organizations was how unlikely they were to be patched. According to the report, government agencies fixed less than one-third of all detected problems in their applications. By contrast, businesses in the financial services industry resolved 65 percent of their issues and manufacturing companies fixed 81 percent of their problems.
More than 200,000 tests run on Veracode customers were analyzed for use in the study, including both state and federal government agencies. Simulated attacks were launched against customer networks to find any flaws or vulnerabilities within active applications.
Lack of money, foresight creating cybersecurity risks
According to Veracode co-founder and CTO Chris Wysopal, one of the biggest reasons government agencies are so far behind their peers in improving cybersecurity efforts is because they simply lack the budget needed to sufficiently protect IT assets. However, inadequate contracts are also part of the problem, as agencies are not required to fix issues immediately after they are discovered. Wysopal suggested the wording on these contracts be amended to create a change in attitude surrounding government cybersecurity strategies.
“Part of [the solution] is going to be a willingness to adopt a risk-based approach as opposed to compliance,” said Wysopal. “To look at different vulnerabilities and fix them, base them on thinking, ‘What risk does this pose to our organization and the data that we have?'”
The report was released just a week after the major breach affecting federal Office of Personnel Management in which millions of government employees’ personal records were compromised by foreign hackers. Many cybersecurity experts have called for Congress to view the data breach as a wake up call and put more resources and attention toward agency cybersecurity. In a similar move, President Obama recently proposed a $13 billion increase to the nation’s 2016 cybersecurity budget. The new budget has yet to be approved, but would be a large step in the right direction for securing the nation’s IT infrastructure and critical technological assets.