CSO Online – 6/15/18
[Ed. Note: Byline by Chris Wysopal, CTO, CA Veracode]
Cybersecurity in the government sector has dominated the headlines the past couple years. From nation-state actors breaching voter databases in 2016, to the recent findings that 74 percent of federal agencies have cybersecurity programs that are either at risk or high risk, there are a lot of worrisome stories regarding the state of government cybersecurity. Should we be concerned? What’s the reality, how did we get here, and what should government entities focus on moving forward?
The government software security reality
At CA Veracode, we’ve been scanning our customers’ applications to identify security flaws for more than a decade. All those scans produce a lot of valuable data around software security – for instance, what types of flaws are most prevalent, what fixes are working, and which industries have the most and least secure code. And year in and year out, our data finds that the government performs the worst in terms of software security. Truthfully, no industry is getting high marks in terms of software security – from healthcare to financial services to retail – we’ve got a long way to go in terms of creating secure code. Yet it could be argued that government is the industry with the most to lose if their data is exposed. The unprecedented cyberattacks on elections in the US and other democracies over the past year demonstrate that our most critical systems and the very foundation of our society are in the cross-hairs.
According to CA Veracode scan data collected just this past year, government applications had the highest flaw prevalence of any industry group for cross-site scripting, SQL injection, credentials management, and cryptographic issues. Government is also the industry that performs security testing the least frequently and passes the OWASP Top 10 application security policy the least frequently.