According to Veracode, the government isn’t very good at fixing software flaws. In fact, of 7 vertical segments, they rank last. The financial and manufacturing sectors do best at fixing vulnerabilities. Healthcare organizations don’t do well and cloud vendors (SaaS) fail the OWASP top 10 almost 75% of the time. Given this, it is not surprising that hackers are having a field day.
Veracode makes software and sells services to help companies squash bugs, so that is how they get their data. According to Veracode’s study:
The level of compliance on the first risk assessment test, by industry is ranked like this: Financial (42%), Manufacturing (35%), Tech (32%), Healthcare (31%), Retail (30%), other (30%) and, last and apparently least, Government (24%).
Remediation is a very important metric. What percentage of the bugs that you find do you fix. You might think the answer is all of them and maybe in a perfect world that would be true, but there are lots of reasons why it isn’t true. Manufacturing wins this contest at 81% fixed, followed by Financial (65%), Retail (60%), Other (52%), Tech (50%), Healthcare (43%) . Government brings up the rear at 27%. Usually, time and money drive fixing the bugs, along with the PERCEIVED risk that is that the flaw represents. I say perceived because many companies don’t think that they are going to be attacked.
According to the report, cryptographic issues seem to be a big problem. Cryptographic issues could mean that sensitive data isn’t encrypted or the implementation of cryptography is poor.
Turning to risk improvement, the report says that while only 14% of the overall flaws detected were fixed between the first assessment and the most recent one, 58% of the high and very high severity flaws were fixed. Said differently, more than 40% of the high and very high severity flaws are still out there and over 80% of the total flaws are still left in the code.
This data says that there is a lot of room for improvement. Interestingly, internally developed software seems to test better than commercial software, which is counter intuitive. Overall, internally developed software was compliant on the first pass of testing 37% of the time while commercial software passed 28%.
The report is available at this link.