UK Government security debt is putting public sector cybersecurity at risk

Houses of Parliament
(Image credit: Pixabay) (Image credit: Pixabay)

New research has revealed over half of public sector applications contain some kind of security debt - a vulnerability or flaw that has existed within the application for more than one year.

The Veracode State of Software Security Public Sector 2024 report found on a global scale, 42% of applications contain security debt, but looking at just the public sector reveals a stark difference, with 59% of public sector applications affected.

The public sector also tends to accumulate more security debt than other industries, with the flaw-free application rate being half (3%) that of other industries (6%).

Risk-prioritization vs reward

The UK public sector has become a prime target for threat actors over the past few years, partly due to aging IT systems and a lack of investment. Chinese threat actors allegedly broke into the Ministry of Defence (MoD) personnel files in May 2024, and the MoD is among the worst rated IT systems in Whitehall.

Recent efforts have however signaled change in the government’s approach to public sector security, with the National Cyber Strategy laying the foundations of enhanced cyber resilience in the UK, and the government's efforts to draft new measures that would require organizations to prioritize application security when selling software to the UK public sector.

“The good news is that most organisations have the capacity to remediate all critical debt, but risk prioritisation is key,” said Chris Eng, Chief Research Officer at Veracode. “Two-thirds of all flaws in public sector organisations are either less than one year old or are not critical in severity. In addition, less than one percent of all flaws constitute critical security debt. By prioritising that security debt with focused effort, organisations can achieve maximum risk reduction and then move to address non-critical flaws based on their risk tolerance and capabilities.”

Of particular concern is the amount of high-severity security debt, with the global metrics suggesting that 40% of public sector organizations contain critical security debt. In the UK, over half (55.5%) of critical security debt is due to third-party code and dependencies, with the government aiming to crack down on the use of unsecured and unsustainable open-source software.

“The current state of software security in the public sector reinforces the importance of making secure by design a standard approach for the whole network connected world,” Eng concluded. “Our goal with this research is to further support government and industry partners in promoting widespread adoption of these principles.”

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham, where he read Politics with Journalism at undergraduate level before continuing his studies at a postgraduate level in Security, Intelligence and Diplomacy. Benedict made the jump to cybersecurity upon joining TechRadar Pro as a Staff Writer, focussing on state-sponsored threat actors, malware, social engineering, and national security.