According to a recent report from Veracode, most government organizations have left security flaws unaddressed for over a year, putting themselves in a very precarious position.
Unaddressed flaws in government software
• Widespread Security Debt: The 2025 Veracode Public Sector State of Software Security report reveals that 78% of government organizations are operating with significant “security debt”—software flaws that have remained unaddressed for more than a year.
• Critical Vulnerabilities: 55% of these organizations are burdened with “critical” security debt, meaning long-standing vulnerabilities that pose severe risks to government systems and data.
• Slow Remediation: Government agencies take an average of 315 days to remediate half of their software vulnerabilities, compared to 252 days for public- and private-sector organizations overall. This 63-day lag increases the risk of exploitation by threat actors.
• Persistent Flaws: Even after two years, one-third of vulnerabilities in government applications remain unresolved, and 15% persist for more than five years.
Let’s blame everyone else but the government
• Disproportionate Risk: While third-party and open-source code makes up less than 10% of the total security debt, it accounts for 70% of the critical security debt in government systems.
• Remediation Delays: Vulnerabilities in third-party and open-source components take about 50% longer to fix than those in internally developed software.
Causes of Accumulated Vulnerabilities
• Legacy Applications: Many government agencies rely on old, unsupported software that is difficult to update or patch, leading to persistent vulnerabilities.
• Resource Constraints: Budget limitations and staffing shortages hinder timely remediation of security flaws.
• Lack of Comprehensive Visibility: Outdated IT systems often lack the tools needed to identify and address vulnerabilities quickly.
