Financial services can’t shake security debt
In financial services, application security risk is becoming a long game. Fewer flaws appear in new code, but old ones linger longer, creating a kind of software “interest” that keeps growing, according to Veracode’s 2025 State of Software Security report.
Researchers analyzed data from more than 1.3 million applications and 126 million security findings. Financial institutions perform better than average at preventing severe vulnerabilities, but they are slower to fix them and carry more long-term security debt than most other sectors.
Fewer flaws, but a plateau in progress
57% of financial sector applications had at least one security flaw during their latest static analysis scan. About 55% contained issues listed in the OWASP Top 10, and 40% were tied to the CWE Top 25 most dangerous software weaknesses. Only 8% of financial applications had high-severity flaws, compared to 16% across all industries.
These figures show that financial firms are identifying and preventing critical issues better than most. Yet, progress has stalled since 2021. After several years of improvement, the rate of vulnerable applications has leveled off, suggesting that organizations are struggling to push risk lower.
The report attributes this to the constant churn of software development. Code is written, flaws are found, fixes are deployed, and new code introduces new issues.
Fixing flaws takes close to nine months
The median time to fix half of discovered flaws is about nine months, slightly slower than the cross-industry average.
A significant share of flaws remain open for years, showing that while many fixes happen early, remediation slows over time. As these flaws accumulate, applications become harder to maintain. Older issues are often pushed aside as teams focus on new projects and vulnerabilities, creating a cycle of unfinished remediation work.
“Trust is everything in financial services, yet our data reveals a silent, growing risk for the sector created by unresolved security debt. With AI-driven attacks surging and compliance requirements tightening, finance leaders must prioritize strategic risk reduction, starting with targeted remediation of critical software flaws,” said Chris Wysopal, Chief Security Evangelist at Veracode.
Security debt is widespread and risky
77% carry some level of security debt, slightly higher than the 74% average across industries. Even more concerning, 63% of financial firms have what Veracode defines as critical debt, meaning severe vulnerabilities that have gone unfixed for more than a year. That figure is 13% points higher than the overall rate.
Security debt tends to accumulate in older, larger applications. It often mirrors other forms of technical debt that reduce efficiency and resilience. The report suggests that the more legacy code an organization maintains, the heavier the backlog of flaws becomes.
Open source adds to the burden
About 17% of all security debt in the financial services sector comes from open-source libraries. When focusing on critical debt, that share rises above 80%.
Flaws in third-party components take longer to fix than those in internally developed code. The report recommends evaluating open-source packages before adding them to a codebase, since inherited flaws can spread across multiple applications and persist for years.
The findings also suggest that the full scale of open-source risk in financial institutions may be undercounted. Many organizations still lack visibility into their software supply chain and may not consistently use software composition analysis tools.
Leaders move faster and carry less debt
The report compares leading and lagging financial services organizations using five application security metrics: flaw prevalence, fix capacity, fix speed, debt prevalence, and open-source debt.
Leading organizations fix flaws several times faster than their peers and maintain a much lower level of security debt across their applications. Laggards, by contrast, remediate at a slow pace and carry lingering flaws in most of their systems.
The gap shows that a small group of mature programs are steadily improving, while many others remain weighed down by long-standing flaws.