Recent research has shed light on a concerning trend in the public sector: more than half of public sector applications harbor security debt, representing vulnerabilities or flaws persisting for over a year.
The Veracode State of Software Security Public Sector 2024 report reveals a global average of 42% of applications with security debt. However, when focusing solely on the public sector, this figure jumps to 59%, indicating a significant disparity.
Furthermore, the public sector appears to accumulate security debt at a higher rate compared to other industries. The report highlights that flaw-free applications are far less common in the public sector, with only 3% achieving this status, compared to 6% in other industries.
Risk-Prioritization Versus Reward
The UK public sector has increasingly become a target for threat actors due to aging IT systems and inadequate investment. Notable incidents, such as the alleged breach of Ministry of Defence personnel files by Chinese threat actors in May 2024, underscore the urgency of addressing cybersecurity vulnerabilities in government systems.
However, recent initiatives signal a shift in the government’s approach to public sector security. The National Cyber Strategy lays the groundwork for bolstering cyber resilience in the UK, while proposed measures aim to compel organizations to prioritize application security when supplying software to the public sector.
Chris Eng, Chief Research Officer at Veracode, emphasizes the importance of risk prioritization in addressing security debt. While most organizations have the capability to remediate critical debt, focused effort is essential. By tackling critical vulnerabilities first, organizations can achieve maximum risk reduction before addressing less critical flaws.
Of particular concern is the prevalence of high-severity security debt, with 40% of public sector organizations globally affected. In the UK, over half of critical security debt is attributed to third-party code and dependencies, prompting government action to mitigate the use of insecure open-source software.
Eng stresses the need for a secure-by-design approach to software development, advocating for widespread adoption of secure principles across government and industry. The goal is to support government and industry partners in promoting a culture of cybersecurity awareness and proactive risk mitigation.
Source: techradar.com
