The State of Application Security in Financial Services: Managing Security Debt

Natalie Tischler

By Natalie Tischler

Application security in financial services is essential to maintaining trust, compliance, and operational resilience in a rapidly evolving digital landscape. Financial services organizations must balance innovation with holistic security controls, especially as the pressure to launch new digital solutions grows. The evidence is clear: challenges around “security debt,” unresolved flaws left in production for over a year, pose material risk to the sector. Addressing application security in financial services is no longer optional; it is a requirement for business continuity and customer confidence.

Our 2025 State of Software Security (SOSS) report for the Financial Services sector offers an in-depth analysis of thousands of applications, delivering authoritative data on the maturity of application security in financial services. The findings provide industry leaders with benchmarks to evaluate their own security programs and shed light on areas with the most potential for risk reduction. This post delivers key insights from the report, vital benchmarks, and actionable guidance to improve application security in your financial services organization.

Flaw Prevalence: A Persistent Challenge in Financial Application Security

Security flaws are a constant in software development, and their impact is particularly acute in financial services. Our data shows that 57% of applications in the sector have at least one flaw identified during the latest static analysis security testing (SAST) scan. While this marks progress over previous years, the rate of improvement has stalled since 2021. This plateau indicates a need for more systematic processes to advance application security in financial services.

Key findings on flaw prevalence include:

  • 55% of applications in financial services contain flaws listed in the OWASP Top 10.
  • Only 8% of applications have high or critical-severity flaws, which is half the cross-industry average (16%).

The relative scarcity of high-severity flaws demonstrates strong investment in securing financial applications. However, the lack of momentum in reducing total flaw volume points to a need to evolve application security strategies in financial services – to keep up with the rapid cycle of code development and remediation. Security debt continues to grow when unresolved flaws linger, increasing overall risk.

Understanding and Quantifying Security Debt in Financial Services

Security debt (flaws left unresolved for more than a year) remains a fundamental challenge for application security in financial services. Like financial debt, these vulnerabilities compound over time, increasing exposure, regulatory risk, and remediation costs.

The 2025 SOSS report quantifies this threat:

  • 77% of financial services organizations report security debt in their application portfolio, slightly above the industry average of 74%.
  • 63% of these organizations possess critical security debt – defined as high-severity, long-unresolved flaws. This is 13 percentage points above the cross-industry average.

This persistence of critical security debt underscores the critical need for financial firms to invest in mature application security programs. Even though fewer high-severity flaws exist on average, those that do persist longer and leave organizations open to greater risk.

The Challenge of Fixing Flaws: Remediation in Financial Services

Finding flaws represents only the first step in strengthening application security in financial services. The more taxing task is remediation. Using “half-life” – the time to remediate 50% of discovered flaws – we can assess program efficiency.

For financial services, the flaw half-life is 276 days, almost a month slower than the cross-industry average (252 days). Two years after discovery, approximately 30% of flaws in financial applications remain unresolved. This slow closure rate is a primary driver of accumulating security debt in financial services organizations.

Several factors contribute: Development teams face pressure for rapid delivery, often sidelining security as a secondary concern. Without integrated tooling and guidance specific to financial sector needs, flaw remediation becomes cumbersome and prone to delays. It’s also related to the complexity of fixing flaws in open-source software.

The Hidden Risk in Your Software Supply Chain: Open Source Security Debt

Addressing application security in financial services means looking beyond proprietary code to encompass the entire software supply chain. Third-party and open-source libraries, widely used to accelerate development, can introduce significant risk if not continuously monitored.

Key findings from our report:

  • Nearly 17% of all security debt in financial services originates from third-party code.
  • Over 82% of critical security debt stems from flaws in open-source components.

Remediation for open-source vulnerabilities takes around 50% longer than for custom code. A good idea is to block open-source packages from ever entering the codebase. This can be done using a tool like Veracode Package Firewall. Any risk reduction strategy that diverges from this approach is likely to fall short.

Benchmarking Application Security Performance: What Sets Financial Services Leaders Apart?

Our benchmarking distinguishes leaders from laggards in application security in financial services, delivering a performance roadmap for organizations who want to elevate their security posture.

Leading Organizations:

  • Remediate flaws quickly, achieving a half-life of just 2.5 months.
  • Maintain security debt in fewer than 26% of applications.
  • Fix over 9% of open flaws every month.

Lagging Organizations:

  • Require over a year (12.1 months) to remediate half of their flaws.
  • Carry security debt in over 85% of applications.
  • Address only 0.1% of open flaws each month.

Leading financial services organizations consistently embed application security into the software development lifecycle (SDLC). Continuous scanning and integration with developer workflows enable rapid flaw detection and remediation – a cost-effective way to mitigate security debt. Leaders also use Application Security Posture Management (ASPM) solutions to aggregate and prioritize findings, focus resources on exploitable risks, and drive measurable improvement.

Take Control of Application Security in Financial Services

The 2025 State of Software Security for the financial services sector report delivers the data-driven perspective financial services leaders need to benchmark and advance their application security programs. Understanding where you stand in relation to your peers is the starting point for meaningful risk reduction.

Prioritize remediation speed and contextualized findings, manage open-source risk, and integrate application security into your development lifecycle to systematically reduce security debt, protect sensitive assets, and maintain regulatory compliance in the face of evolving threats.

Download the full 2025 State of Software Security: Snapshot for the Financial Services Sector to access detailed benchmarks and targeted recommendations for enhancing application security in financial services.

Oct 28, 2025

Beyond “Fast”: Why Deep, Continuous Risk Analysis is the Only Way Forward

Read More
Derek Maki

Derek Maki

Oct 22, 2025

Navigating the Fog: A Guide to Application Security in the Cloud

Read More
Natalie Tischler

Natalie Tischler

Oct 20, 2025

GlassWorm: The First Self-Propagating VS Code Extension Worm

Read More
Veracode Threat Research

Veracode Threat Research

Photo of Natalie Tischler

By Natalie Tischler

Natalie Tischler believes in a world where software is built secure from the start. She writes content for Veracode that focuses on empowering harmony between Security and Development teams.