Public Sector Application Risk Accumulates as Security Debt Grows Across Government Systems

Veracode’s Public Sector State of Software Security 2025Report Reveals 78% of Government Organizations Operate with Unaddressed Security Flaws, with Critical Vulnerabilities Persisting for Years

Veracode, a global leader in application risk management, today released its Public Sector State of Software Security 2025 report, revealing alarming trends in software security across government organizations. Drawing from an extensive analysis of 1.3 million unique applications and 126.4 million raw findings, the research shows 78 percent of public sector organizations are operating with significant security debt—flaws left unaddressed for more than a year. Moreover, 55 percent are burdened with ‘critical’ security debt, representing long-standing vulnerabilities with severe risk potential.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20250611610525/en/

Fig 1: Public Sector Flaw Remediation Timeline Based on Survival Analysis

Public Sector Security Debt Exceeds Industry Average

In an era where public trust and digital infrastructure security are paramount, the public sector continues to struggle with timely vulnerability remediation. The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities—significantly higher than the overall average of 252 days. This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches.

The data further reveals that even after two years, one-third of security flaws in government applications remain unresolved, with 15 percent persisting for more than five years. This prolonged remediation (depicted in the survival curve in Fig. 1) illustrates how unaddressed vulnerabilities accumulate into widespread security debt.

“Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed,” said Chris Wysopal, Chief Security Evangelist at Veracode. “Our research highlights an urgent need for the public sector to modernize its security practices, especially when it comes to managing risk in open-source software.”

Veracode collaborates directly with public sector agencies to tackle these cybersecurity challenges. Backed by findings from more than 360 trillion lines of code analyzed over two decades, the Veracode platform provides comprehensive risk visibility from design through deployment, enabling organizations to remediate vulnerabilities with speed and precision.

Third-Party Code Presents Disproportionate Risk Profile

A particularly concerning finding reveals that while third-party and open-source code comprise less than 10 percent of overall security debt, they account for a staggering 70 percent of critical security debt in government systems. Worse yet, these flaws take approximately 50 percent longer to fix compared to flaws in first-party software developed internally.

Wysopal said, “This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies. Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed. As the use of AI-generated code increases across organizations, comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through.”

Security Maturity Benchmarks Reveal Performance Disparities

Despite overall concerning trends, Veracode’s research reveals leading government agencies are successfully reducing security debt and resolving vulnerabilities nearly four times faster than others. These high-performing organizations demonstrate that meaningful improvement is achievable, offering a clear path forward for peers looking to strengthen their software security posture.

The report identifies five key metrics that measure an organization’s application security maturity and debt management capability, revealing distinct performance gaps between leading and lagging public sector organizations:

• Flaw Prevalence: Leading agencies have flaws in fewer than 33 percent of applications, while lagging agencies show flaws in 100 percent of their applications.
• Remediation Capacity: Leaders address more than nine percent of flaws monthly, compared to just 0.1 percent for laggards.
• Resolution Speed: Top performers resolve half of their flaws within 3.3 months, while bottom performers take more than 11 months for similar results.
• Security Debt Prevalence: Less than 26 percent of applications in leading agencies carry security debt, compared to more than 85 percent in lagging organizations.
• Open-Source Debt: Even among leaders, 84 percent of applications contain open-source critical debt, rising to 100 percent for lagging peers.

“The disparity between top- and bottom-performing government organizations is striking and raises important questions about the factors that make a material difference to security posture,” added Wysopal. “This data provides public sector security teams with a clear framework to assess their maturity, identify gaps, and improve their performance based on the practices of top-performing agencies.”

A Clear Call to Action

As public sector organizations face mounting cyber threats and expanding regulatory compliance requirements, Veracode recommends two strategic shifts:

1. Implement Risk-Based Prioritization: Deploy context-driven security posture management capabilities thatcorrelate findings from multiple security tools and data sources. Advanced solutions like Veracode Risk Manager surface the most exploitable and urgent vulnerabilities, offering automated resolution.
2. Enhance Comprehensive Visibility: Establish continuous scanning and developer enablement across the complete software development lifecycle. Proactive flaw identification before deployment remains the most cost-effective and impactful AppSec investment.

Wysopal concluded, “In today’s threat landscape, security debt is no longer an acceptable risk. With the right focus, metrics, and automation, public sector agencies can take control of their software risk and build resilience into every release.”

With application risk accumulating across government systems, federal, state, and local agencies must balance mission-critical service delivery with effective cybersecurity risk management. Veracode's comprehensive application risk management platform helps agencies navigate these competing demands through accelerated risk remediation, data-driven vulnerability prioritization, and automated risk assessment capabilities that build organizational resilience against evolving threats. This is especially important as AI-generated code and open-source dependencies introduce new complexity into software development processes.

The complete Public Sector State of Software Security 2025 reportis available to download on the Veracode website.

About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, Malicious Package Detection, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and X.

Copyright © 2025 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands, or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250611610525/en/