Very serious weaknesses: a victory for the public sector

[sumaiyakhatun26]

The Veracode study also highlights why public sector organizations are optimistic about application security. The number of “very serious” bugs discovered in public sector applications (12%) over the 16.5-month period was lower than in non-public sector applications (19%). This is significant, as very serious bugs, if exploited, can have a more negative impact on the system.

Modern application testing encourages the use of a variety of security scanning tools, such austria rcs data as Static Security Testing (SAST) and Software Composition Analysis (SCA), because different types of scans are best at uncovering different types of flaws. SAST and SCA found application flaws in a lower percentage of public sector organizations than private sector applications.

The identification of fewer errors when using SCA tools could indicate the initial impact of the May 2021 Executive Order (EO 14028), which directs US federal agencies to step up efforts to secure the software supply chain. The EO also calls for greater use of Software Bills of Materials (SBOMs), lists of substances used in software, thus promoting sharing, transparency, and visibility. Elsewhere, the Federal Risk and Authorization Management Program (FedRAMP) certifies security assessments of cloud products and services. Similarly, StateRAMP allows state and local governments to verify cloud service providers’ compliance with cybersecurity policies.