Report: All Industries Fail at Cybersecurity
Most sectors failed industry-standard security tests of their Web and mobile applications, but the government failed the worst, a report by application security company Veracode found.
Most strikingly isn't how poorly the government's applications fared. It's how unlikely they were to be fixed.
Government agencies fix fewer than one-third of all detected problems, according to the report. By comparison, financial services fixed 81 percent of its problems, while manufacturing fixed 65 percent.
Only 24 percent of government agency applications passed security tests, compared with those of financial services at 42 percent. Manufacturing followed at 35 percent, as illustrated below in the figures from the report.
It is interesting to note, however, that manufacturing had the highest concentration of security problems per unit of executable coding, almost double the government's concentration.
The report comes just weeks after a cybersecurity attack that exposed millions of federal employees' personal information. Just a month ago, a federal judge ruled that Target had to pay millions of dollars to victims of its massive security breach.
Veracode collected data from more than 200,000 tests it ran on its customers, including federal and state agencies. Veracode's co-founder and chief technology officer, Chris Wysopal, said the company reserves the right to analyze and publish anonymized customer data to publish public findings and propose solutions.
Veracode's network of computers launches simulated attacks on its customers to find flaws and come up with solutions.
"Part of [the solution] is going to be a willingness to adopt a risk-based approach as opposed to compliance. To look at different vulnerabilities and fix them, base them on thinking, 'What risk does this pose to our organization and the data that we have?'" Wysopal said.
Budget problems are a contributing factor, but inadequate contracts are also to blame, he said. Wysopal suggested that government agencies include language in their contracts that requires them to fix problems that are discovered in the future.
President Barack Obama recently proposed an increase to the government's 2016 cybersecurity budget, jacking it up $1 billion to $14 billion.
Neither the Department of Homeland Security nor the Secret Service immediately returned calls for comment.