UK Government security debt is putting public sector cybersecurity at risk
Critical security debt is being left unchecked, report claims
New research has revealed over half of public sector applications contain some kind of security debt - a vulnerability or flaw that has existed within the application for more than one year.
The Veracode State of Software Security Public Sector 2024 report found on a global scale, 42% of applications contain security debt, but looking at just the public sector reveals a stark difference, with 59% of public sector applications affected.
The public sector also tends to accumulate more security debt than other industries, with the flaw-free application rate being half (3%) that of other industries (6%).
Risk-prioritization vs reward
The UK public sector has become a prime target for threat actors over the past few years, partly due to aging IT systems and a lack of investment. Chinese threat actors allegedly broke into the Ministry of Defence (MoD) personnel files in May 2024, and the MoD is among the worst rated IT systems in Whitehall.
Recent efforts have however signaled change in the government’s approach to public sector security, with the National Cyber Strategy laying the foundations of enhanced cyber resilience in the UK, and the government's efforts to draft new measures that would require organizations to prioritize application security when selling software to the UK public sector.
“The good news is that most organisations have the capacity to remediate all critical debt, but risk prioritisation is key,” said Chris Eng, Chief Research Officer at Veracode. “Two-thirds of all flaws in public sector organisations are either less than one year old or are not critical in severity. In addition, less than one percent of all flaws constitute critical security debt. By prioritising that security debt with focused effort, organisations can achieve maximum risk reduction and then move to address non-critical flaws based on their risk tolerance and capabilities.”
Of particular concern is the amount of high-severity security debt, with the global metrics suggesting that 40% of public sector organizations contain critical security debt. In the UK, over half (55.5%) of critical security debt is due to third-party code and dependencies, with the government aiming to crack down on the use of unsecured and unsustainable open-source software.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The current state of software security in the public sector reinforces the importance of making secure by design a standard approach for the whole network connected world,” Eng concluded. “Our goal with this research is to further support government and industry partners in promoting widespread adoption of these principles.”
More from TechRadar Pro
- Get rid of that virus with the best malware removal tools
- Huge amounts of UK data at risk of being stolen from aging Whitehall computer systems
- These are the best endpoint protection services around
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.