Public sector security debt and application risk management was analyzed in a recent report by Veracode. Security debt, defined by the report as flaws that remain unfixed for longer than a year, exists in 59% of applications in the public sector, compared to the overall rate of 42%.
Researchers found that while slightly fewer public sector organizations (68%) have security debt than other industries (71%), they tend to accumulate more of it. Three percent of applications are flaw-free, compared to six percent across other industries. Even more concerning, 40% of public sector entities have persistent, high-severity flaws that constitute ‘critical’ security debt, which would put the confidentiality, integrity and availability of businesses at serious risk if exploited.
According to the report, security debt in the public sector primarily affects first-party code (93%), but most of the critical security debt comes from third-party dependencies (55.5%).