50% of financial orgs have high-severity security flaws in their apps

Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76% of organizations in the financial services sector, with 50% of organizations carrying critical security debt, according to Veracode.

Financial sector apps accumulate more security debt

With the average cost of a data breach in the financial industry estimated to be $6.08 million, the research comes at a critical time for one of the most highly targeted industries by sophisticated threat actors. According to a U.S. Treasury Department report in March 2024, threat actors use AI-based tools to find and exploit software vulnerabilities. At the same time, increasing industry competition and customer expectations for convenience require organizations to accelerate innovation.

“The high rate of security debt in the financial sector poses significant risks to organizations and their customers if not addressed quickly. As AI-driven cyber-attacks continue to grow in strength and numbers, and organizations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming rate,” said Chris Wysopal, Chief Security Evangelist at Veracode.

“Our latest State of Software research highlights the critical need for financial institutions to address both first-party and third-party code vulnerabilities now. Organizations that leave flaws unremedied for longer than a year are exposed to prolonged and dangerous threats,” added Wysopal.

Veracode researchers found 40% of all applications in the financial sector have security debt, which is slightly better than the cross-industry average of 42%. In addition, just 5.5% of financial sector applications are flaw-free, compared to 5.9% across other industries. While slightly fewer financial sector applications have security debt, they accumulate more of it.

Security debt in first-party and third-party code demands attention

The report also highlights the need for financial services organizations to address security debt in both first-party and third-party code. 84% of all security debt affects first-party code, but 78.6% of critical security debt comes from third-party dependencies. This reinforces the importance of the Cybersecurity and Infrastructure Security Agency’s efforts to help secure the open-source ecosystem with its Open Source Software Security Roadmap and Secure by Design Pledge.

The analysis further explores remediation timelines in the financial services sector. Researchers found that financial organizations fix half of first-party flaws in the first nine months, compared to 13 months for third-party flaws. Of those, 52% of third-party flaws turn into security debt, while 44% of first-party flaws turn into security debt.

The proliferation of supply chain attacks targeting the financial services industry has brought about a growing number of cybersecurity regulations with a sharper focus on software security. For example, regulatory frameworks like the ISO 20022, the Payment Card Industry Data Security Standard (PCI DSS), NIS2, and the Digital Operational Resilience Act (DORA) require organizations to prevent vulnerabilities from being deployed in applications.

This puts organizations at risk of non-compliance because of existing security debt and outdated remediation strategies. Research reveals that organizations can address this risk by prioritizing the 3.3% of flaws that constitute critical security debt. Remediating the most dangerous flaws first means financial entities can then move on to tackle other critical flaws or non-critical.

“It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets. I urge financial institutions to prioritize timely security debt reduction by adopting AI-powered remediation and ASPM tools which can detect, prioritize and fix vulnerabilities within seconds,” concluded Wysopal.