A new report released today from the software security firm Veracode contained alarming news about the data security practices of many federal agencies.

Veracode’s business is auditing the source code of applications for security vulnerabilities. The report documents 208,670 application scans conducted over 18 months for the company’s private and government customers. An analysis of the prevalence of security issues within software code, the application’s compliance with basic best security standards, and how frequently customers updated or fixed flawed applications are included in the report.

The study found that Web applications in use by federal agencies failed to comply with security standards 76 percent of the time. By contrast, financial service companies are in compliance a comforting-only-by-comparison 42 percent of the time.

In those 18 months of scans, 6.9 million security flaws were found; customers addressed 4.7 million of the flaws. Government agencies patched flaws only 27 percent of the time. Companies in the financial sector patched 87 percent of the time.

The government spent about $13 billion on cyber security in 2014, according to a report by the Office of Management and Budget. So why aren’t agencies patching software at a higher rate? Re/Code, in their coverage of the report, noted that there are no compliance demands or regulations requiring agencies to apply patches. Additionally, many agencies rely on outside contractors to code custom apps, or to deploy commercial software. Contracts with these companies rarely include the requirement to correct flawed coding or deploy patches.

Many government agencies have failed to adopt the risk-based approach to security that is widely employed by businesses. Instead, they focus on meeting basic security requirements created by the government. While this compliance-based approach is solid, most security experts agree that it is not enough. A risk and policy-based approach is a more effective way to protect data. Follow the best practices outlined in compliance authority documents, and deploy additional, strong protections on the data that is likely to attract an attacker’s attention.

Veracode’s analysis substantiates what security experts expected to find after a recent report by the Government Accountability Office (GAO), which found that security incidents at federal agencies grew from 5,500 in 2006 to more than 67,000 in 2014. Incidents that involved personal data rose from about 10,500 to nearly 28,000 in 2014.

Gregory Wilshusen, GAO director for information security issues, is pushing agencies to ramp up their testing and audit processes, both to find problems and to help ensure that the problems are correctly remediated.

One of the best ways to discover whether or not the organization has suffered a breach of its defenses is to search for anomalies on the endpoints themselves in real time. The BAI Security Proactive Compromise Detection service helps an organization find possible malicious code that exists within the enterprise through a long term deployment of highly-specialized yet non-intrusive forensic software on all endpoints.

BAI Security’s team of security experts can then detect the custom-coded malware and other variants used by today’s attackers that signature-based antivirus/malware solutions, as well as Indicators of Compromise (IOC)s, cannot detect. Our detection capabilities include identification of attacks from stealth/idle malware, zero-day code, rootkits, Trojans, key loggers, and various forms of data capturing programs.

Through examination of every piece of software, anything that appears suspicious is carefully examined in order to confirm its validity in an environment. Compromised servers and workstations involved in data breaches often are infected days, weeks, or even months before the actual data loss begins. Data leakages can be avoided with this detection service by locating the malicious software before they siphon off data about end-user activity, customer/patient information, or proprietary data. Find out more about this service here.

And since we’d all rather keep attackers out of the system in the first place, we offer a Breach Risk Assessment service that helps to identify and close vulnerabilities before they are exploited. During this assessment we check the real-world effectiveness of an organization’s existing security controls. While IT Security and compliance audits also check for the existence of required controls, it’s unfortunately true that even a 100% compliant organization can often be vulnerable in the real world against a skilled human threat agent. Find out more about this service here.