byLucian Constantin
CSO Senior Writer
News
May 30, 20246 mins
Application SecurityGovernment ITVulnerabilities
Java and .NET applications are the main source of unpatched vulnerabilities in the public sector.
Credit: Gorodenkoff / Shutterstock
The public sector is one of the top targets for sophisticated state sponsored threat actors as well as ransomware gangs, but it’s having a hard time keeping up with security patches in a timely manner. More than half of the software applications deployed in government organizations have at least one vulnerability that has gone unpatched for over a year, according to findings from Veracode.
The good news is that under 1% of those unpatched year-old flaws have critical severity and half of them are located in first-party code, so it should be fairly easy to resolve them. Though it doesn’t mean that flaws with lower severity or those younger than a year should not be prioritized considering that over half of publicly known vulnerabilities adopted in widespread attacks become actively exploited in less than a week.
Attackers also tend to use exploit chains, so not all flaws exploited in the wild are unauthenticated remote code execution ones. Some are local privilege escalations that allow hackers to gain full system privileges once they have access to limited accounts, or various security feature bypasses they might need to execute code or shell commands.
Most organizations have unpatched vulnerabilities
Application security testing vendor Veracode defines security debt as the vulnerabilities that have gone unpatched for longer than a year and this debt tends to increase over time the older and more complex a codebase becomes. The company’s annual State of Software Security report is based on the results of dynamic and static security scans of over a million applications across organizations from all sectors, as well as major software suppliers, outsourcers and open-source projects.
According to the company’s findings, 68% of government organizations have some security debt which is slightly less than the average of 71% across all industries. However, when it comes to the number of individual applications, 59% of those used in the public sector have debt compared to the overall rate of 42% across all applications in general.
“Even more concerning, 40% of public sector entities have high-severity persistent flaws that we’ll classify as critical security debt,” Veracode said in the report. “These flaws represent the highest risk to applications and thus warrant priority remediation.”
Another 38% of apps inside government organizations have vulnerabilities that are not yet one-year old but can become security debt if left unfixed and only 3% are completely free of known flaws, compared to 6% across other sectors. “So, while (slightly) fewer public sector organizations have security debt, they tend to accumulate more of it,” the Veracode researchers concluded.
Most unpatched vulnerabilities come from first party code
Another interesting finding is that 92.8% of unpatched vulnerabilities that are older than a year originate in code written by the developers of those apps rather than code imported from third-party sources such as open-source components and libraries. This is an important aspect considering that the majority of code inside any modern application is third-party code.
When it comes to critical security debt, the distribution between first-party and third-party code is about the same. This means that public sector organizations need to focus on both but have room to improve when it comes to first-party code where 43% of the flaws eventually become security debt.
There are signs of progress being made with the average remediation timeline in the public sector for flaws in first-party code being eight months, compared to 14 months for vulnerabilities in third-party code, but more needs to be done for both these rates to come down significantly.
In terms of programming languages, Java and .NET apps are the main source of security debt in the public sector, with apps written in Java also being the top source of critical debt. Apps written in JavaScript and Python also exhibit high rates of security debt, but less so when it comes to critical severity flaws.
An analysis of these apps across age and size has shown that the larger and older a codebase is, the more likely it is to accumulate security debt — 21% for the oldest and largest compared to 12% for the youngest and smallest.
Vulnerability severity matters
It is worth keeping in mind that vulnerability severity matters. As such, 24% of the flaws that do qualify as security debt are non-critical, according to Veracode, along with another 67% of flaws that are not yet older than one year. The ratio of critical and high severity flaws is around 8% and of those, about 0.5% are older than a year.
These rates might not sound alarming but consider that it can take only one critical vulnerability for a major security breach to occur. For example, the massive 2017 data breach at Equifax that exposed the Social Security numbers and other personal information of nearly half of the US population was the result of failing to patch a critical vulnerability in the Apache Struts Java application framework for two months.
There are many similar examples, but it’s also worth considering that patching is not the only way to mitigate a vulnerability. It is the best way, but other security controls can also be put in place to lower the chances of exploitation. And not all vulnerable applications are exposed directly to the internet either, which significantly decreases the risk of exploitation.
“Two-thirds (67%) of all flaws in public sector organizations are neither debt nor critical in severity,” the Veracode researchers said. “We’re not saying ignore them altogether (or they’ll eventually become debt), but remediation of those flaws can be deferred in favor of those that represent greater risk. Instead, focus development teams on fixing the <1% of flaws that constitute critical debt. Once that’s done, organizations can tackle critical flaws or non-critical debt based on their risk tolerance and capabilities.”
Related content
- opinionWhat CISOs need to know about Microsoft’s Copilot+ The Recall feature of Microsoft’s AI-powered Copilot+ introduces some potential security risks by capturing and storing user activity.BySusan BradleyJun 06, 20248 minsWindows SecuritySecurity Software
- news analysisLong-running Chinese cyberespionage operation targeted Southeast Asian government Several intrusions employing diverse and sophisticated tools sought to exfiltrate sensitive military and technical information of the unnamed government, according to a report by Sophos.ByLucian ConstantinJun 05, 20246 minsAdvanced Persistent ThreatsHacker GroupsHacking
- newsNominations for CSO30 Australia 2024 open ByCathy O'SullivanJun 05, 20243 minsEvents
- brandpostSponsored by SANs InstituteNavigating AI disruption in cybersecurity: Practical steps for leaders Now is the time to prepare for the AI surge in cybersecurity with sound strategies for today’s security leaders. ByJames Lyne, Chief Technology and Innovation Officer, SANS Institute, SANS Certified Instructor and Course AuthorJun 05, 20244 minsSecurity
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
