Another 38% of apps inside government organizations have vulnerabilities that are not yet one-year old but can become security debt if left unfixed and only 3% are completely free of known flaws, compared to 6% across other sectors. “So, while (slightly) fewer public sector organizations have security debt, they tend to accumulate more of it,” the Veracode researchers concluded.

Most unpatched vulnerabilities come from first party code

Another interesting finding is that 92.8% of unpatched vulnerabilities that are older than a year originate in code written by the developers of those apps rather than code imported from third-party sources such as open-source components and libraries. This is an important aspect considering that the majority of code inside any modern application is third-party code.

When it comes to critical security debt, the distribution between first-party and third-party code is about the same. This means that public sector organizations need to focus on both but have room to improve when it comes to first-party code where 43% of the flaws eventually become security debt.

There are signs of progress being made with the average remediation timeline in the public sector for flaws in first-party code being eight months, compared to 14 months for vulnerabilities in third-party code, but more needs to be done for both these rates to come down significantly.

In terms of programming languages, Java and .NET apps are the main source of security debt in the public sector, with apps written in Java also being the top source of critical debt. Apps written in JavaScript and Python also exhibit high rates of security debt, but less so when it comes to critical severity flaws.

An analysis of these apps across age and size has shown that the larger and older a codebase is, the more likely it is to accumulate security debt — 21% for the oldest and largest compared to 12% for the youngest and smallest.