The research conducted by Veracode highlights significant security debt within the public sector, with 59% of applications having unfixed flaws persisting for over a year, compared to the overall rate of 42%. This analysis spans public sector organizations across more than 25 countries worldwide, indicating a widespread challenge in addressing security vulnerabilities.
Federal government systems are increasingly targeted by cyberattacks, prompting initiatives to enhance cybersecurity. In March 2024, agencies like CISA and OMB introduced measures like the Secure Software Development Attestation Form to hold software providers accountable for insecure software, reflecting efforts to mitigate risks in government applications.
Despite slightly fewer public sector organizations having security debt compared to other industries (68%), they tend to accumulate more severe issues, with only 3% of applications being flaw-free. Notably, 40% of public sector entities harbor persistent, high-severity flaws constituting critical security debt, posing substantial risks to data confidentiality, integrity, and availability.
The concentration of security debt primarily in older applications, particularly those built with Java and .NET, underscores the need for a comprehensive approach. This includes addressing both first-party code (93%) and critical security debt arising from third-party dependencies (55.5%), emphasizing the importance of initiatives like the Open Source Security Software Initiative to ensure the safety and sustainability of open-source software.
