Veracode Report Finds 63% of Financial Services Firms Carry Critical Security Debt, Heightening Supply Chain Risk

Open-source Vulnerabilities Account for 82% of Critical Security Debt Across Banking, Financial Services, and Insurance Organizations

Veracode, the global leader in application risk management, today released its 2025 State of Software Security (SoSS) Snapshot for the Financial Services Sector. The analysis reveals nearly two-thirds (63 percent) of banking, financial services, and insurance (BFSI) organizations harbor critical security debt—high-severity flaws left unfixed for longer than a year—a rate of 13 percentage points higher than the cross-industry average.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20251029207424/en/

Fig. 1: Financial service sector flaw remediation timeline based on survival analysis

"Trust is everything in financial services, yet our data reveals a silent, growing risk for the sector created by unresolved security debt," said Chris Wysopal, Co-founder & Chief Security Evangelist at Veracode. "With AI-driven attacks surging and compliance requirements tightening, finance leaders must prioritize strategic risk reduction, starting with targeted remediation of critical software flaws.”

Veracode researchers report 77 percent of financial services organizations accrue some level of security debt. With an average flaw half-life of 276 days—the time it takes to remediate 50 percent of all vulnerabilities—it takes the sector nearly a month longer to fix security issues than other industries. Despite modest gains in reducing high-severity flaws, progress has stalled as older, larger applications in the sector continue to accumulate unresolved security risks.

Open-Source Dependency Amplifies Exposure

The report found the supply chain remains a major source of risk. While third-party code represents just 17 percent of total security debt, it accounts for more than 82 percent of critical security debt at financial firms. With open-source flaws requiring 50 percent more time to remediate than first-party code, organizations face mounting exposure amid escalating regulatory pressure. Proactively assessing open-source libraries and avoiding components with known flaws significantly reduces long-term exposure and risk across applications.

Leaders vs. Laggards: Benchmarking AppSec Maturity

The report benchmarks top-performing BFSI enterprises against lower-performing organizations. Industry leaders remediate over 9 percent of open flaws monthly and limit security debt to less than 26 percent of applications, while laggards have debt in 85 percent or more of their applications and stretch fix cycles beyond a year. The gap underscores the importance of continuous code analysis, rapid remediation, and contextual risk-based prioritization with modern, AI-powered tools.

Wysopal concluded, "This report gives finance leaders the data they need to benchmark progress and target resources more effectively. By understanding where critical open-source and legacy risks are concentrated, organizations can move beyond simply finding flaws to strategically fixing the most critical issues, enabling them to protect their customers while innovating securely and with confidence.”

The Veracode 2025 State of Software Financial Services Snapshot is available to read on the Veracode website.

About the State of Software Security Report

The Veracode State of Software Security 2025 is the 15th volume of the report. It analyzed data from companies of all sizes, commercial software suppliers, software outsourcers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. Specifically, the data comes from:

• 1.3M unique applications with 126.4M raw findings
• 107.4M findings identified via SAST scans
• 3.9M findings identified via DAST scans
• 15M findings identified via Software Composition Analysis

About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale.

Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, Malicious Package Detection, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and X.

View source version on businesswire.com: https://www.businesswire.com/news/home/20251029207424/en/