Application risk-management company Veracode published its 15th edition of the State of Software Security (SoSS). This report is based on a dataset of 1.3 million unique applications and 126.4 million raw findings, highlighting emerging trends while offering a new view of software security maturity.
Of note, the research revealed an alarming increase in the average fix time for security flaws – from 171 to 252 days – over the past five years. Moreover, 50 percent of organizations now carry critical security debt, defined as accumulated flaws left open for longer than a year. The majority originate from third-party code and the software supply chain.
“The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering,” said Veracode chief security evangelist, Chris Wysopal. “Last year’s report found 46 percent of organizations had high-severity security debt. While the year-on-year increase may seem marginal, it is going in the wrong direction. Our investigations provide solid evidence that organizations can drive down debt, but many need help to prioritize which vulnerabilities to tackle first.”
Veracode’s research also analyzed the security debt distribution across organizations. While some have almost no debt and others are drowning in it, most fall somewhere in between, with a mix of debt-free and debt-ridden applications.
“The gap between the top 25 percent and bottom 25 percent of organizations is fascinating,” said Wysopal. “The results raise the question of which factors account for the marked differences in how organizations manage security debt and what teams can do to tackle it.”
Veracode’s research pinpointed five key metrics that indicate security maturity and predict an organization’s ability to systematically reduce risk:
- Flaw prevalence
- Fix capacity
- Fix speed
- Debt prevalence
- Open-source debt.
Of note, leading organizations have flaws in fewer than 43 percent of applications, while lagging organizations exceed 86 percent. Additionally, leaders resolve over 10 percent of flaws monthly, whereas laggards address less than one percent.
Less than 17 percent of applications in leading organizations carry security debt, compared with more than 67 percent in lagging ones. Leading organizations keep open-source critical debt under 15 percent, while 100 percent of critical debt is open source in lagging organizations.
“The research provides a helpful framework for organizations to assess their security maturity. This enables them to understand specific factors contributing to security
debt, gauge each metric’s importance and benchmark their own performance against similar organizations,” added Wysopal. “We offer in-depth recommendations from our experts and leading organizations on how to improve.”
