UK Government security debt is putting public sector cybersecurity at risk

(Image credit: Pixabay) (Image credit: Pixabay)

New research has revealed over half of public sector applications contain some kind of security debt - a vulnerability or flaw that has existed within the application for more than one year.

The Veracode State of Software Security Public Sector 2024 report found on a global scale, 42% of applications contain security debt, but looking at just the public sector reveals a stark difference, with 59% of public sector applications affected.

Risk-prioritization vs reward

The UK public sector has become a prime target for threat actors over the past few years, partly due to aging IT systems and a lack of investment. Chinese threat actors allegedly broke into the Ministry of Defence (MoD) personnel files in May 2024, and the MoD is among the worst rated IT systems in Whitehall.

Recent efforts have however signaled change in the government’s approach to public sector security, with the National Cyber Strategy laying the foundations of enhanced cyber resilience in the UK, and the government's efforts to draft new measures that would require organizations to prioritize application security when selling software to the UK public sector.

“The good news is that most organisations have the capacity to remediate all critical debt, but risk prioritisation is key,” said Chris Eng, Chief Research Officer at Veracode. “Two-thirds of all flaws in public sector organisations are either less than one year old or are not critical in severity. In addition, less than one percent of all flaws constitute critical security debt. By prioritising that security debt with focused effort, organisations can achieve maximum risk reduction and then move to address non-critical flaws based on their risk tolerance and capabilities.”

Of particular concern is the amount of high-severity security debt, with the global metrics suggesting that 40% of public sector organizations contain critical security debt. In the UK, over half (55.5%) of critical security debt is due to third-party code and dependencies, with the government aiming to crack down on the use of unsecured and unsustainable open-source software.

“The current state of software security in the public sector reinforces the importance of making secure by design a standard approach for the whole network connected world,” Eng concluded. “Our goal with this research is to further support government and industry partners in promoting widespread adoption of these principles.”

More from TechRadar Pro

Get rid of that virus with the best malware removal tools
Huge amounts of UK data at risk of being stolen from aging Whitehall computer systems
These are the best endpoint protection services around

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.