Another 38% of applications within government organizations are vulnerable less than a year old but can be a security liability if left unpatched and only 3% are completely free of known flaws, compared to 6% in other sectors. “Thus, although (slightly) fewer public sector organizations have security liabilities, they tend to accumulate more,” Veracode researchers concluded.
Many undocumented vulnerabilities come from first-party code
Another interesting finding is that 92.8% of uninvestigated vulnerabilities over a year are from code written by developers of those applications rather than code imported from third-party sources such as open source components and libraries. This is an important feature considering that most of the code inside any modern application is third-party code.
When it comes to critical security debt, the distribution between first-party and third-party code is almost identical. This means that public sector organizations need to focus on both but have room for improvement when it comes to first-party code where 43% of errors end up being a security liability.
There are signs of progress being made with the average repair timeline in the public sector for first-party code vulnerabilities being eight months, compared to 14 months for third-party code vulnerabilities, but more needs to be done to bring both of these rates down significantly.
In terms of programming languages, Java and .NET applications are the primary source of public sector security liability, with applications written in Java also the highest source of critical liability. Applications written in JavaScript and Python also show high rates of security debt, but less so when it comes to bugs of critical severity.
An analysis of these applications across all ages and sizes showed that the larger and older the codebase is, the more likely it is to accumulate a security liability — 21% of the oldest or largest versus 12% of the youngest and youngest.
Source link