Over half of government applications have unpatched flaws older than a year

Vulnerability severity matters

It is worth keeping in mind that vulnerability severity matters. As such, 24% of the flaws that do qualify as security debt are non-critical, according to Veracode, along with another 67% of flaws that are not yet older than one year. The ratio of critical and high severity flaws is around 8% and of those, about 0.5% are older than a year.

These rates might not sound alarming but consider that it can take only one critical vulnerability for a major security breach to occur. For example, the massive 2017 data breach at Equifax that exposed the Social Security numbers and other personal information of nearly half of the US population was the result of failing to patch a critical vulnerability in the Apache Struts Java application framework for two months.

There are many similar examples, but it’s also worth considering that patching is not the only way to mitigate a vulnerability. It is the best way, but other security controls can also be put in place to lower the chances of exploitation. And not all vulnerable applications are exposed directly to the internet either, which significantly decreases the risk of exploitation.