The study also revealed significant disparities in remediation timelines between first-party and third-party flaws.
Financial organisations typically fix half of first-party flaws within nine months, compared to 13 months for third-party flaws.
Additionally, 52% of third-party flaws turn into security debt, while 44% of first-party flaws do so.
These findings highlight the challenges financial institutions face in managing and updating third-party dependencies, which often require coordination with external developers or vendors.
The prevalence of security debt in third-party code emphasises the importance of initiatives such as the Cybersecurity and Infrastructure Security Agency’s Open Source Software Security Roadmap and Secure by Design Pledge.
These programmes aim to enhance the security of the open-source ecosystem, which plays a crucial role in modern software development across industries, including finance.
Implications for the global financial system
The accumulation of security debt in the financial sector has far-reaching implications for the global economy.
As financial institutions become increasingly interconnected and reliant on digital systems, vulnerabilities in one organisation’s software can potentially cascade through the entire financial ecosystem.
