byLucian Constantin
CSO Senior Writer
News
30 May 20246 mins
Application SecurityGovernment ITVulnerabilities
Java and .NET applications are the main source of unpatched vulnerabilities in the public sector.
Credit: Gorodenkoff / Shutterstock
The public sector is one of the top targets for sophisticated state sponsored threat actors as well as ransomware gangs, but it’s having a hard time keeping up with security patches in a timely manner. More than half of the software applications deployed in government organizations have at least one vulnerability that has gone unpatched for over a year, according to findings from Veracode.
The good news is that under 1% of those unpatched year-old flaws have critical severity and half of them are located in first-party code, so it should be fairly easy to resolve them. Though it doesn’t mean that flaws with lower severity or those younger than a year should not be prioritized considering that over half of publicly known vulnerabilities adopted in widespread attacks become actively exploited in less than a week.
Attackers also tend to use exploit chains, so not all flaws exploited in the wild are unauthenticated remote code execution ones. Some are local privilege escalations that allow hackers to gain full system privileges once they have access to limited accounts, or various security feature bypasses they might need to execute code or shell commands.
Most organizations have unpatched vulnerabilities
Application security testing vendor Veracode defines security debt as the vulnerabilities that have gone unpatched for longer than a year and this debt tends to increase over time the older and more complex a codebase becomes. The company’s annual State of Software Security report is based on the results of dynamic and static security scans of over a million applications across organizations from all sectors, as well as major software suppliers, outsourcers and open-source projects.
According to the company’s findings, 68% of government organizations have some security debt which is slightly less than the average of 71% across all industries. However, when it comes to the number of individual applications, 59% of those used in the public sector have debt compared to the overall rate of 42% across all applications in general.
“Even more concerning, 40% of public sector entities have high-severity persistent flaws that we’ll classify as critical security debt,” Veracode said in the report. “These flaws represent the highest risk to applications and thus warrant priority remediation.”
Another 38% of apps inside government organizations have vulnerabilities that are not yet one-year old but can become security debt if left unfixed and only 3% are completely free of known flaws, compared to 6% across other sectors. “So, while (slightly) fewer public sector organizations have security debt, they tend to accumulate more of it,” the Veracode researchers concluded.
Most unpatched vulnerabilities come from first party code
Another interesting finding is that 92.8% of unpatched vulnerabilities that are older than a year originate in code written by the developers of those apps rather than code imported from third-party sources such as open-source components and libraries. This is an important aspect considering that the majority of code inside any modern application is third-party code.
When it comes to critical security debt, the distribution between first-party and third-party code is about the same. This means that public sector organizations need to focus on both but have room to improve when it comes to first-party code where 43% of the flaws eventually become security debt.
There are signs of progress being made with the average remediation timeline in the public sector for flaws in first-party code being eight months, compared to 14 months for vulnerabilities in third-party code, but more needs to be done for both these rates to come down significantly.
In terms of programming languages, Java and .NET apps are the main source of security debt in the public sector, with apps written in Java also being the top source of critical debt. Apps written in JavaScript and Python also exhibit high rates of security debt, but less so when it comes to critical severity flaws.
An analysis of these apps across age and size has shown that the larger and older a codebase is, the more likely it is to accumulate security debt — 21% for the oldest and largest compared to 12% for the youngest and smallest.
Vulnerability severity matters
It is worth keeping in mind that vulnerability severity matters. As such, 24% of the flaws that do qualify as security debt are non-critical, according to Veracode, along with another 67% of flaws that are not yet older than one year. The ratio of critical and high severity flaws is around 8% and of those, about 0.5% are older than a year.
These rates might not sound alarming but consider that it can take only one critical vulnerability for a major security breach to occur. For example, the massive 2017 data breach at Equifax that exposed the Social Security numbers and other personal information of nearly half of the US population was the result of failing to patch a critical vulnerability in the Apache Struts Java application framework for two months.
There are many similar examples, but it’s also worth considering that patching is not the only way to mitigate a vulnerability. It is the best way, but other security controls can also be put in place to lower the chances of exploitation. And not all vulnerable applications are exposed directly to the internet either, which significantly decreases the risk of exploitation.
“Two-thirds (67%) of all flaws in public sector organizations are neither debt nor critical in severity,” the Veracode researchers said. “We’re not saying ignore them altogether (or they’ll eventually become debt), but remediation of those flaws can be deferred in favor of those that represent greater risk. Instead, focus development teams on fixing the <1% of flaws that constitute critical debt. Once that’s done, organizations can tackle critical flaws or non-critical debt based on their risk tolerance and capabilities.”
Related content
- featureWhat are non-human identities and why do they matter? When digital systems need access and permissions they require credentials just like human beings. These non-human identities allow many components of complex systems to work together but present significant security issues.ByChris Hughes03 Jun 20248 minsAccess ControlIdentity and Access ManagementNetwork Security
- newsMicrosoft: The brand attackers love to imitate Cybercriminals often hide attack attempts behind well-known brand names with the intent to trick targeted users into making the fatal click. Microsoft is their favorite — by far.ByMartin Bayer03 Jun 20243 minsPhishingEmail SecurityCybercrime
- newsBug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model.ByShweta Sharma31 May 20243 minsGenerative AIVulnerabilities
- newsOpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said.ByGyana Swain31 May 20244 minsGenerative AI
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
