The researchers also found that the public sector takes around twice as long to fix flaws once detected compared to other industries. In addition, 60% of flaws in third-party libraries in the public sector remain unfixed after two years. This is double the time frame of other industries and 15 months behind the cross-industry average.
The report was based on an analysis of data collected from 20 million scans across half a million applications in the public sector, manufacturing, financial services, retail & hospitality, healthcare and technology.
The public sector also had the joint lowest vulnerability fix rate of all industries, at 22%. The researchers said the findings suggest that public sector entities are particularly vulnerable to software supply chain attacks like SolarWinds and Kaseya, leading to huge disruptions and compromising critical data.
Encouragingly, the report did find public sector organizations have made significant improvements in tackling high severity flaws. According to the analysis, high-level flaws only appear in 16% of public sector applications and the total number has decreased by 30% in the past year. The researchers believe this suggests new government cybersecurity initiatives, such as US President Joe Biden’s executive order last year mandating cybersecurity practices, such as zero trust, and the UK government’s recent cybersecurity strategy, which focuses on enhancing the security of the nation’s public services, are having a positive impact.
Chris Eng, chief research officer at Veracode, commented: “Public sector policymakers and leaders recognize that dated technology and vast troves of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance. In the wake of May 2021’s Executive Order to improve the nation’s cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense and the White House have issued four memos addressing the need to adopt zero trust cybersecurity principles and strengthen the security of the software supply chain. Our research confirms this need.”
In January, President Biden signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks. Earlier this month, the US passed new legislation that will force critical infrastructure companies to report cyber incidents within 72 hours.