A recent report by Veracode analyzed software security risks within the financial sector. 

The analysis reveals 63% of banking, financial services, and insurance (BFSI) organizations harbor critical security debt — high-severity flaws left unfixed for longer than a year — a rate of 13 percentage points higher than the cross-industry average. 

Veracode researchers report 77% of financial services organizations accrue some level of security debt. With an average flaw half-life of 276 days — the time it takes to remediate 50 percent of all vulnerabilities — it takes the sector nearly a month longer to fix security issues than other industries. Despite modest gains in reducing high-severity flaws, progress has stalled as older, larger applications in the sector continue to accumulate unresolved security risks. 

While third-party code represents 17% of total security debt, it accounts for more than 82% of critical security debt at financial firms. With open-source flaws requiring 50% more time to remediate than first-party code, organizations face mounting exposure amid escalating regulatory pressure.  

The report benchmarks top-performing BFSI enterprises against lower-performing organizations. Industry leaders remediate over 9% of open flaws monthly and limit security debt to less than 26% of applications, while laggards have debt in 85% or more of their applications and stretch fix cycles beyond a year. The gap underscores the importance of continuous code analysis, rapid remediation, and contextual risk-based prioritization with modern, AI-powered tools. 

Download the report