Security flaws in government apps go unpatched for years

78% of public sector organizations are operating with significant security debt, flaws left unaddressed for more than a year, according to Veracode. 55% are burdened with ‘critical’ security debt, representing long-standing vulnerabilities with severe risk potential.

Public sector flaw remediation timeline based on survival analysis (Source: Veracode)

Public sector security debt exceeds industry average

The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities, significantly higher than the overall average of 252 days. This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches.

The data further reveals that even after two years, one-third of security flaws in government applications remain unresolved, with 15% persisting for more than five years. This prolonged remediation illustrates how unaddressed vulnerabilities accumulate into widespread security debt.

“Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed,” said Chris Wysopal, Chief Security Evangelist at Veracode.

Open-source debt

A particularly concerning finding reveals that while third-party and open-source code comprise less than 10% of overall security debt, they account for a 70% of critical security debt in government systems. Worse yet, these flaws take approximately 50% longer to fix compared to flaws in first-party software developed internally.

“This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies. Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed. As the use of AI-generated code increases across organizations, comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through,” added Wysopal.

Leading government agencies are reducing security debt

Despite overall concerning trends, leading government agencies are successfully reducing security debt and resolving vulnerabilities nearly four times faster than others. These high-performing organizations demonstrate that meaningful improvement is achievable, offering a clear path forward for peers looking to strengthen their software security posture.

The report identifies five key metrics that measure an organization’s application security maturity and debt management capability, revealing distinct performance gaps between leading and lagging public sector organizations:

• Flaw prevalence: Leading agencies have flaws in fewer than 33% of applications, while lagging agencies show flaws in 100% of their applications.
• Remediation capacity: Leaders address more than nine percent of flaws monthly, compared to just 0.1% for laggards.
• Resolution speed: Top performers resolve half of their flaws within 3.3 months, while bottom performers take more than 11 months for similar results.
• Security debt prevalence: Less than 26% of applications in leading agencies carry security debt, compared to more than 85% in lagging organizations.
• Open-source debt: Even among leaders, 84% of applications contain open-source critical debt, rising to 100% for lagging peers.

“The disparity between top- and bottom-performing government organizations is striking and raises important questions about the factors that make a material difference to security posture,” concluded Wysopal.