Freely subscribe to our NEWSLETTER

With the average cost of a data breach in the financial industry estimated to be $6.08 million¹, the research comes at a critical time for one of the most highly targeted industries by sophisticated threat actors. According to a U.S. Treasury Department report in March 2024, threat actors use AI-based tools to find and exploit software vulnerabilities at an unprecedented rate. At the same time, increasing industry competition and customer expectations for convenience require organisations to accelerate innovation.

“The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly. As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate,” said Chris Wysopal, Chief Security Evangelist at Veracode. “Our latest State of Software research highlights the critical need for financial institutions to address both first-party and third-party code vulnerabilities now. Organisations that leave flaws unremedied for longer than a year are exposed to prolonged and dangerous threats.”

Veracode researchers found 40 percent of all applications in the financial sector have security debt, which is slightly better than the cross-industry average of 42 percent. In addition, just 5.5 percent of financial sector applications are flaw-free, compared to 5.9 percent across other industries. While slightly fewer financial sector applications have security debt, they accumulate more of it.

The report also highlights the need for financial services organisations to address security debt in both first-party and third-party code. Eighty-four percent of all security debt affects first-party code, but the majority (78.6 percent) of critical security debt comes from third-party dependencies. This reinforces the importance of the Cybersecurity and Infrastructure Security Agency’s efforts to help secure the open-source ecosystem with its Open Source Software Security Roadmap and Secure by Design Pledge.

The analysis further explores remediation timelines in the financial services sector. Researchers found that financial organisations fix half of first-party flaws in the first nine months, compared to 13 months for third-party flaws. Of those, 52 percent of third-party flaws turn into security debt, while 44 percent of first-party flaws turn into security debt.

The proliferation of supply chain attacks targeting the financial services industry has brought about a growing number of cybersecurity regulations with a sharper focus on software security. For example, regulatory frameworks like the ISO 20022, the Payment Card Industry Data Security Standard (PCI DSS), NIS2, and the Digital Operational Resilience Act (DORA) require organisations to prevent vulnerabilities from being deployed in applications.

This puts organisations at risk of non-compliance because of existing security debt and outdated remediation strategies. Veracode’s research reveals that organisations can address this risk by prioritising the 3.3% of flaws that constitute critical security debt. Remediating the most dangerous flaws first means financial entities can then move on to tackle other critical flaws or non-critical debt according to their risk tolerance and capabilities.

The increased need for risk prioritisation creates a significant demand for Application Security Posture Management (ASPM) to continuously track risk through the collection, visibility and analysis of security issues across the software development cycle. Veracode’s Application Risk Management Platform provides a comprehensive, unified view of risk across code and applications, empowering developers and security teams to remediate issues swiftly. With the AI-powered solution, Veracode Fix, teams can proactively prevent new vulnerabilities and effectively reduce existing security backlogs. The platform’s contextual analysis uncovers root causes, guiding developers toward optimal next steps that maximise risk reduction with minimal effort.

Wysopal closed, “It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets. I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and ASPM tools which can detect, prioritise and fix vulnerabilities within seconds.”