Public vs private sector: differences in application security

Applications developed by public sector organizations tend to have more security flaws than those created by the private sector, as noted by Veracode. These findings are of particular significance as an increase in flaws and vulnerabilities in applications translates into increased levels of risk. The research emerges in the context of a number of recent US federal government initiatives to strengthen cybersecurity, including efforts to reduce vulnerabilities in applications that perform critical government functions.

The security difference between public and private sector applications

The researchers found that just under 82 percent of applications developed by public sector organizations had at least one security flaw detected during their last scan in the past 12 months, compared to 74 percent of private sector organizations. Depending on the type of defect tracked, public sector applications had a 7 to 12 percent higher chance of introducing a defect in the past year. “The difference between the rate at which defects appear in public and private sector applications is significant. Government efforts to close this gap are needed and should continue. As custodians of public safety, agencies have a duty to close this gap and strengthen security to protect the nation and its citizens,” said Chris Eng, chief research officer at Veracode.

Security anomalies and impact on public functions

However, the numbers alone do not convey the consequences that occur when attackers exploit software flaws and vulnerabilities. For example, in May of this year, a ransomware attack against the city of Dallas crippled the functions they rely on to deliver public services, including the IT systems used by public safety agencies. Over three weeks after the attack, public agencies in Dallas still hadn't fully recovered.

Positive prospects for the public sector and actions needed to improve safety

Despite the worrying data, Veracode's research also found reasons to be optimistic about the security of applications in the public sector. The discovery of "high severity" defects in public sector applications (16.5%) over a 12 month period was lower than in private sector applications (19%). This is notable because high-severity flaws, when exploited, have a greater potential to negatively impact systems. However, to further improve their security posture, agencies need to take four actions: remediate the accumulation of known defects, run scans regularly, automate testing through APIs to reduce the introduction of defects into applications, and use dynamic scanning to discover defects that other types of scans may not detect. “The public sector has made great strides in strengthening the security of applications that serve our government, but there is still much work to be done to improve their cyber security posture and fend off incoming threats. Focusing security efforts on the root cause of most cyber breaches, i.e. the application layer, agencies can achieve the necessary improvements,” concluded Eng.