Half of Financial Organizations Have High-Severity Security Flaws in Their Apps

Veracode has released new research that highlights the state of software security debt within the financial services sector. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76 percent of organizations in the financial services sector, with 50 percent of organizations carrying critical security debt.

With the average cost of a data breach in the financial industry estimated to be $6.08 million, the research comes at a critical time for one of the most highly targeted industries by sophisticated threat actors. According to a U.S. Treasury Department report in March 2024, threat actors use AI-based tools to find and exploit software vulnerabilities at an unprecedented rate. At the same time, increasing industry competition and customer expectations for convenience require organizations to accelerate innovation.

“The high rate of security debt in the financial sector poses significant risks to organizations and their customers if not addressed quickly. As AI-driven cyber-attacks continue to grow in strength and numbers, and organizations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate,” said Chris Wysopal, Chief Security Evangelist at Veracode. “Our latest State of Software research highlights the critical need for financial institutions to address both first-party and third-party code vulnerabilities now. Organizations that leave flaws unremedied for longer than a year are exposed to prolonged and dangerous threats.”

Veracode researchers found 40 percent of all applications in the financial sector have security debt, which is slightly better than the cross-industry average of 42 percent. In addition, just 5.5 percent of financial sector applications are flaw-free, compared to 5.9 percent across other industries. While slightly fewer financial sector applications have security debt, they accumulate more of it.

The report also highlights the need for financial services organizations to address security debt in both first-party and third-party code. Eighty-four percent of all security debt affects first-party code, but the majority (78.6 percent) of critical security debt comes from third-party dependencies. This reinforces the importance of the Cybersecurity and Infrastructure Security Agency’s efforts to help secure the open-source ecosystem with its Open Source Software Security Roadmap and Secure by Design Pledge.

The analysis further explores remediation timelines in the financial services sector. Researchers found that financial organizations fix half of first-party flaws in the first nine months, compared to 13 months for third-party flaws. Of those, 52 percent of third-party flaws turn into security debt, while 44 percent of first-party flaws turn into security debt.

The proliferation of supply chain attacks targeting the financial services industry has brought about a growing number of cybersecurity regulations with a sharper focus on software security. For example, regulatory frameworks like the ISO 20022, the Payment Card Industry Data Security Standard (PCI DSS), NIS2, and the Digital Operational Resilience Act (DORA) require organizations to prevent vulnerabilities from being deployed in applications.

This puts organizations at risk of non-compliance because of existing security debt and outdated remediation strategies. Veracode’s research reveals that organizations can address this risk by prioritizing the 3.3% of flaws that constitute critical security debt. Remediating the most dangerous flaws first means financial entities can then move on to tackle other critical flaws or non-critical debt according to their risk tolerance and capabilities.

The increased need for risk prioritization creates a significant demand for Application Security Posture Management (ASPM) to continuously track risk through the collection, visibility and analysis of security issues across the software development cycle. Veracode’s Application Risk Management Platform provides a comprehensive, unified view of risk across code and applications, empowering developers and security teams to remediate issues swiftly. With the AI-powered solution, Veracode Fix, teams can proactively prevent new vulnerabilities and effectively reduce existing security backlogs. The platform’s contextual analysis uncovers root causes, guiding developers toward optimal next steps that maximize risk reduction with minimal effort.

Wysopal closed, “It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets. I urge financial institutions to prioritize timely security debt reduction by adopting AI-powered remediation and ASPM tools which can detect, prioritize and fix vulnerabilities within seconds.”