Government agencies are operating with massive amounts of “security debt” — meaning unresolved vulnerabilities — putting them and the public at increased risk of falling victim to hackers, according to a Veracode report released Wednesday.
Roughly 80% of government agencies have software vulnerabilities that have gone unaddressed for at least a year, and roughly 55% of them have long-standing software flaws that place them at even greater risk, the report found.
Veracode’s research shows that it takes government agencies an average of 315 days to resolve half of their software vulnerabilities, compared to the combined public- and private-sector average of 252 days.
But companies and agencies alike are falling short of the necessary investments and procedures to address insecure software, according to Veracode.
“Organizations don’t have a process that includes enough engineering capacity to fix security issues found vs building more features and functionality,” Chris Wysopal, chief security evangelist at Veracode, told Cybersecurity Dive via email. “Their fixing process is not efficient enough to keep up with new flaws found when new code is written.
The accumulated security debt stems from a number of issues. Many government agencies use old applications that are built on legacy frameworks, according to Veracode. In certain cases, these applications are so outdated that their developers no longer support them.
“Legacy government IT often lacks comprehensive visibility and integration capabilities, hindering timely identification and remediation of vulnerabilities,” Tom Kennedy, vice president of federal systems at Axonius, told Cybersecurity Dive. “These older systems frequently rely on outdated software, unpatched vulnerabilities, and insecure configurations — directly impacting overall security.”
Organizations need to prioritize the most critical vulnerabilities first to make sure they don’t turn into security threats, according to researchers at the Foundation for Defense of Democracies.
“No software is perfect, and every codebase carries security debt from the moment it is created,” Georgianna Shea, chief technologist at the Center on Cyber and Technology Innovation at FDD. “Organizations should therefore expect some unaddressed vulnerabilities and budget accordingly — today’s safe code can become tomorrow’s risk if left unchecked.”
Government agencies often work under severe budget constraints and with limited personnel. Cyber experts have raised concerns in recent months about the security consequences of extensive budget cuts and job losses at federal agencies.
The Veracode report also raises concerns about the risks of third-party and open-source software. It finds that these programs account for only 10% of overall security debt but 70% of critical security debt on government networks.
State-linked hackers breached the Treasury Department in late 2024 after using a stolen key designed for cloud-based technical support to launch attacks on multiple customers of Treasury IT vendor BeyondTrust.
