Veracode Sleuths Tips for Better AppSec

December 16, 2020

New research demonstrates that government and education entities often deploy applications with high flaw density. The research found that the majority of organizations in those disciplines work with larger applications that contain older codebases compared to other sectors. However, there are signs that developers in these sectors are modernizing their approach to find and fix flaws faster to improve software security.

Veracode’s research, which analyzed thousands of applications in government and education organizations to determine DevSecOps trends, found that 80% of applications in the sector have at least one flaw, which is the highest compared to several other sectors such as financial services, retail, and technology, among others. However, only 23% of these are high severity flaws, on par with the financial services and healthcare sectors for the lowest among all industries.

While the majority of its flaws are not severe, the accumulation of unresolved flaws increases risk of an application being exploited; government and education organizations require more than seven months to fix half the flaws they find.

Three tips for better AppSec in the government and education sector:

Automate scanning with APIs: with a shift toward DevOps and more rapid releases, using automated scanning allows developers to kick off testing from the tools they already use. Two actions that directly impact how quickly flaws can be fixed – application scanning frequency and automating scans with APIs – are being prominently implemented in government and education. The sector leads all industries in how frequently it is scanning for flaws and with using APIs to integrate scanning throughout the development process.

Scan throughout the development process: in government and education organizations, security testing is still being saved for just before a major release or taking place on an ad-hoc basis. Instead, ensure there is consistent scanning at every stage of development. Scan cadence is within a developer’s control and can have an enormous impact on application security.

Prioritize flaw fixing: immediate flaw remediation is possible with frequent and regular scanning. Older flaws tend to linger, and teams may not allocate capacity to fix them. Flaw severity and the business impact of the application are factors in how teams decide which flaws to fix first. In terms of prevalence of flaws, SQL injection is 33% more prevalent in government and education compared to all sectors, and cross-site scripting and insufficient input validation are also more prevalent in this sector compared to others. However, five of the top 10 flaw types overall actually show a lower prevalence in government and education applications.

The sector continues to grapple with data breaches as well – in 2020 alone, breaches have occurred within the U.S. Small Business Administration, the UK Home Office, the University of York, and Denmark’s government tax portal, among others.

“Most application issues in the government and education sector are not catastrophic. By continuing to adopt DevSecOps practices like scanning applications for defects consistently and using multiple testing types, developers in these organizations can begin making leaps toward more secure code,” said Chris Eng, Chief Research Officer at Veracode.