According to a new study from Veracode, more than 82% (4/5th) of public sector apps have security vulnerabilities, the highest found in any industry. The experts also found that the apps in the public sector take twice the time to get patch the flaws once identified, compared to other industry security fixes. Besides this, around 60% of flaws in third-party libraries in the public sector haven't been patched for two years. It is twice the time frame compared to industry data and almost 15 months behind the cross-industry average.
The report is based on the data collected via 20 million scans across half a million apps in the public sector, financial services, manufacturing, retail, healthcare, technology, and hospitality. Veracode simplifies AppSec programs by combining five application security analysis types in one solution, integrated into the development pipeline. With comprehensive analysis, you’re covered today and as your program evolves Joint lowest fix rate for vulnerability in the public sector is 22% which is the lowest.
The study suggests that public sector organizations are more prone to software supply chain attacks because they are more vulnerable, for instance, solar winds, which led to huge disruptions and breaches of critical data. Fortunately, the findings suggest that public sector entities have improved in battling high severity flaws. As per analysis, high-level flaws were found in 16% of public sector apps and the total numbers fell by 30% in the last year.
The experts believe that the data hints toward new government cybersecurity measures. Public sector lawmakers and politicians know that dated technology and a large amount of sensitive data are the reason for public organizations to become a primary target for hackers.
This is why Congress and the White House are working together to update regulations that govern cybersecurity compliance. "In January, President Biden signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks. Earlier this month, the US passed new legislation that will force critical infrastructure companies to report cyber incidents within 72 hours" reports Infosecurity.
