Veracode Sleuths Tips for Better AppSec
December 16, 2020
research demonstrates that government and education entities often deploy
applications with high flaw density. The research found that the majority of
organizations in those disciplines work with larger applications that contain
older codebases compared to other sectors. However, there are signs that
developers in these sectors are modernizing their approach to find and fix flaws
faster to improve software security.
Scan throughout the development process: in government and education organizations, security testing is still being saved for just before a major release or taking place on an ad-hoc basis. Instead, ensure there is consistent scanning at every stage of development. Scan cadence is within a developer’s control and can have an enormous impact on application security.
Prioritize flaw fixing: immediate flaw remediation is possible with frequent and regular scanning. Older flaws tend to linger, and teams may not allocate capacity to fix them. Flaw severity and the business impact of the application are factors in how teams decide which flaws to fix first. In terms of prevalence of flaws, SQL injection is 33% more prevalent in government and education compared to all sectors, and cross-site scripting and insufficient input validation are also more prevalent in this sector compared to others. However, five of the top 10 flaw types overall actually show a lower prevalence in government and education applications.
The sector continues to grapple with data breaches as well – in 2020 alone,
breaches have occurred within the U.S. Small Business Administration, the UK
Home Office, the University of York, and Denmark’s government tax portal, among