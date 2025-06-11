Veracode today released its Public Sector State of Software Security 2025 report, revealing alarming trends in software security across government organizations. Drawing from an extensive analysis of 1.3 million unique applications and 126.4 million raw findings, the research shows 78 percent of public sector organizations are operating with significant security debt—flaws left unaddressed for more than a year. Moreover, 55 percent are burdened with ‘critical’ security debt, representing long-standing vulnerabilities with severe risk potential.

Public Sector Security Debt Exceeds Industry Average

In an era where public trust and digital infrastructure security are paramount, the public sector continues to struggle with timely vulnerability remediation. The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities—significantly higher than the overall average of 252 days. This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches.

The data further reveals that even after two years, one-third of security flaws in government applications remain unresolved, with 15 percent persisting for more than five years. This prolonged remediation (depicted in the survival curve in Fig. 1) illustrates how unaddressed vulnerabilities accumulate into widespread security debt.