Veracode have released its 2025 State of Software Security (SoSS) Snapshot for the Financial Services Sector. The analysis reveals nearly two-thirds (63 percent) of banking, financial services, and insurance (BFSI) organisations harbour critical security debt—high-severity flaws left unfixed for longer than a year—a rate of 13 percentage points higher than the cross-industry average.
“Trust is everything in financial services, yet our data reveals a silent, growing risk for the sector created by unresolved security debt,” said Chris Wysopal, Co-founder & Chief Security Evangelist at Veracode. “With AI-driven attacks surging and compliance requirements tightening, finance leaders must prioritise strategic risk reduction, starting with targeted remediation of critical software flaws.”
Fig. 1: Financial service sector flaw remediation timeline based on survival analysis
Veracode researchers report 77 percent of financial services organisations accrue some level of security debt. With an average flaw half-life of 276 days—the time it takes to remediate 50 percent of all vulnerabilities—it takes the sector nearly a month longer to fix security issues than other industries. Despite modest gains in reducing high-severity flaws, progress has stalled as older, larger applications in the sector continue to accumulate unresolved security risks.
Open-Source Dependency Amplifies Exposure
The report found the supply chain remains a major source of risk. While third-party code represents just 17 percent of total security debt, it accounts for more than 82 percent of critical security debt at financial firms. With open-source flaws requiring 50 percent more time to remediate than first-party code, organisations face mounting exposure amid escalating regulatory pressure. Proactively assessing open-source libraries and avoiding components with known flaws significantly reduces long-term exposure and risk across applications.
Fig. 2: Proportion of security debt and critical debt in first-party vs. third-party code
Leaders vs. Laggards: Benchmarking AppSec Maturity
The report benchmarks top-performing BFSI enterprises against lower-performing organisations. Industry leaders remediate over 9 percent of open flaws monthly and limit security debt to less than 26 percent of applications, while laggards have debt in 85 percent or more of their applications and stretch fix cycles beyond a year. The gap underscores the importance of continuous code analysis, rapid remediation, and contextual risk-based prioritisation with modern, AI-powered tools.
Fig. 3: Performance of “leading” (top 25th percentile) versus “lagging” (bottom 25th percentile) financial service organisations
Wysopal concluded, “This report gives finance leaders the data they need to benchmark progress and target resources more effectively. By understanding where critical open-source and legacy risks are concentrated, organisations can move beyond simply finding flaws to strategically fixing the most critical issues, enabling them to protect their customers while innovating securely and with confidence.”
The Veracode 2025 State of Software Financial Services Snapshot is available to read on the Veracode website.
