BURLINGTON, Mass.--()--Veracode, a global leader in application risk management, today released new research that highlights the state of software security debt within the financial services sector. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76 percent of organizations in the financial services sector, with 50 percent of organizations carrying critical security debt.

With the average cost of a data breach in the financial industry estimated to be $6.08 million1, the research comes at a critical time for one of the most highly targeted industries by sophisticated threat actors. According to a U.S. Treasury Department report in March 2024, threat actors use AI-based tools to find and exploit software vulnerabilities at an unprecedented rate. At the same time, increasing industry competition and customer expectations for convenience require organizations to accelerate innovation.

“The high rate of security debt in the financial sector poses significant risks to organizations and their customers if not addressed quickly. As AI-driven cyber-attacks continue to grow in strength and numbers, and organizations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate,” said Chris Wysopal, Chief Security Evangelist at Veracode. “Our latest State of Software research highlights the critical need for financial institutions to address both first-party and third-party code vulnerabilities now. Organizations that leave flaws unremedied for longer than a year are exposed to prolonged and dangerous threats.”

Delayed Flaw Remediation Threatens Financial Sector Security

Veracode researchers found 40 percent of all applications in the financial sector have security debt, which is slightly better than the cross-industry average of 42 percent. In addition, just 5.5 percent of financial sector applications are flaw-free, compared to 5.9 percent across other industries. While slightly fewer financial sector applications have security debt, they accumulate more of it.

The report also highlights the need for financial services organizations to address security debt in both first-party and third-party code. Eighty-four percent of all security debt affects first-party code, but the majority (78.6 percent) of critical security debt comes from third-party dependencies. This reinforces the importance of the Cybersecurity and Infrastructure Security Agency’s efforts to help secure the open-source ecosystem with its Open Source Software Security Roadmap and Secure by Design Pledge.

The analysis further explores remediation timelines in the financial services sector. Researchers found that financial organizations fix half of first-party flaws in the first nine months, compared to 13 months for third-party flaws. Of those, 52 percent of third-party flaws turn into security debt, while 44 percent of first-party flaws turn into security debt.

The Importance of Prioritization in Risk Remediation

The proliferation of supply chain attacks targeting the financial services industry has brought about a growing number of cybersecurity regulations with a sharper focus on software security. For example, regulatory frameworks like the ISO 20022, the Payment Card Industry Data Security Standard (PCI DSS), NIS2, and the Digital Operational Resilience Act (DORA) require organizations to prevent vulnerabilities from being deployed in applications.

This puts organizations at risk of non-compliance because of existing security debt and outdated remediation strategies. Veracode’s research reveals that organizations can address this risk by prioritizing the 3.3% of flaws that constitute critical security debt. Remediating the most dangerous flaws first means financial entities can then move on to tackle other critical flaws or non-critical debt according to their risk tolerance and capabilities.

The Role of Application Security Posture Management

The increased need for risk prioritization creates a significant demand for Application Security Posture Management (ASPM) to continuously track risk through the collection, visibility and analysis of security issues across the software development cycle. Veracode's Application Risk Management Platform provides a comprehensive, unified view of risk across code and applications, empowering developers and security teams to remediate issues swiftly. With the AI-powered solution, Veracode Fix, teams can proactively prevent new vulnerabilities and effectively reduce existing security backlogs. The platform’s contextual analysis uncovers root causes, guiding developers toward optimal next steps that maximize risk reduction with minimal effort.

Wysopal closed, “It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets. I urge financial institutions to prioritize timely security debt reduction by adopting AI-powered remediation and ASPM tools which can detect, prioritize and fix vulnerabilities within seconds.”

The Veracode State of Software Security Financial Services 2024 report is available to read on the Veracode website.

1 IBM, “Cost of a Data Breach Report 2024”, IBM and Ponemon Institute, July 30, 2024

About the State of Software Security Report
The Veracode State of Software Security 2024 report analyzed data from large and small companies, commercial software suppliers, software outsourcers, and open-source projects. The research draws from more than a million (1,007,133) applications across all scan types, 1,553,022 dynamic analysis scans, and 11,429,365 static analysis scans. All those scans produced 96 million raw static findings, 4 million raw dynamic findings, and 12.2 million raw software composition analysis findings.

About Veracode
Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and X.

Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.