"The analysis reveals 63% of banking, financial services, and insurance (BFSI) organizations harbor critical security debt - high-severity flaws left unfixed for longer than a year - a rate of 13 percentage points higher than the cross-industry average. Veracode researchers report 77% of financial services organizations accrue some level of security debt."
"Despite modest gains in reducing high-severity flaws, progress has stalled as older, larger applications in the sector continue to accumulate unresolved security risks. While third-party code represents 17% of total security debt, it accounts for more than 82% of critical security debt at financial firms. With open-source flaws requiring 50% more time to remediate than first-party code, organizations face mounting exposure amid escalating regulatory pressure."
"The report benchmarks top-performing BFSI enterprises against lower-performing organizations. Industry leaders remediate over 9% of open flaws monthly and limit security debt to less than 26% of applications, while laggards have debt in 85% or more of their applications and stretch fix cycles beyond a year. The gap underscores the importance of continuous code analysis, rapid remediation, and contextual risk-based prioritization with modern, AI-powered tools."
Sixty-three percent of BFSI organizations carry critical security debt—high-severity flaws left unfixed for more than a year—13 percentage points above the cross-industry average. Seventy-seven percent of financial services firms carry some level of security debt. The average flaw half-life is 276 days, making remediation nearly a month slower than other industries. Older, larger applications continue to accumulate unresolved risks. Third-party code comprises 17% of total security debt but drives over 82% of critical debt, and open-source flaws take 50% longer to remediate than first-party code. Top performers remediate over 9% of open flaws monthly and keep debt under 26% of applications, while laggards exceed 85% and stretch fix cycles beyond a year.
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]