Freely subscribe to our NEWSLETTER

The research reveals an alarming increase in the average fix time for security flaws—from 171 days to 252 days over the past five years, and up 327 percent since the report’s first volume 15 years ago. Moreover, 50 percent of organisations now carry critical security debt, defined as accumulated flaws left open for longer than a year. The majority of these vulnerabilities originate from third-party code and the software supply chain. Unresolved security debt leaves organisations open to attack, exposing them to reputational, financial, and operational damage.

Chris Wysopal, Chief Security Evangelist at Veracode, said, “The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering. Last year’s report found 46 percent of organisations had high-severity security debt. While the year-on-year increase may seem marginal, it is going in the wrong direction. Our investigations provide solid evidence that organisations can drive down debt, but many need help to prioritise which vulnerabilities to tackle first.”
Benchmarking Security Performance
Veracode’s research also analysed the distribution of security debt across organisations. While some have almost no debt and others are drowning in it, most fall somewhere in between, with a mix of debt-free and debt-ridden applications.

“The gap between the top 25 percent and bottom 25 percent of organisations is fascinating,” Wysopal said. “The results raise the question of which factors account for the marked differences in how organisations manage security debt and what teams can do to tackle it.”
Veracode’s research pinpoints five key metrics that indicate security maturity and predict an organisation’s ability to systematically reduce risk: flaw prevalence, fix capacity, fix speed, debt prevalence, and open-source debt. The report explains each metric’s importance and reveals the parameters that determine whether an organisation is “leading” or “lagging.”

• Flaw prevalence: Leading organisations have flaws in fewer than 43 percent of applications, while lagging organisations exceed 86 percent.
• Fix capacity: Leaders resolve over 10 percent of flaws monthly, whereas laggards address less than 1 percent.
• Fix speed: Top performers remediate half of flaws in five weeks; lower-performing organisations take longer than a year.
• Security debt prevalence: Less than 17 percent of applications in leading organisations carry security debt, compared with more than 67 percent in lagging ones.
• Open-source debt: Leading organisations keep open-source critical debt under 15 percent, while 100 percent of critical debt is open source in lagging organisations.

Wysopal said, “The research provides a helpful framework for organisations to assess their security maturity. This enables them to understand specific factors contributing to security debt, gauge each metric’s importance, and benchmark their own performance against similar organisations. We offer in-depth recommendations from our experts and leading organisations on how to improve.”

Cyber Regulations Drive Positive Behaviors, Boosting Application Security
On a positive note, Veracode’s research found the rate of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 has increased by 63 percent over the past five years, and more than doubled in 15 years. New cybersecurity regulations in 2024, like the U.S. Securities and Exchange Commission (SEC) ruling and E.U. Cyber Resilience Act, have contributed to this trend as software vendors take a more disciplined approach to risk management.

A New View of Security Maturity
Veracode’s new view of software security maturity emphasises the need for enterprises to take a strategic, context-driven approach to managing the most urgent and exploitable risks. The report recommends two key focus areas for organisations. First, organisations must enhance visibility and integration across the entire software development life cycle, using automation and feedback loops to prevent new security flaws. Second, they should prioritise correlating and contextualising security findings in a single view, allowing them to efficiently address their security backlog and reduce the highest risks with the least effort.

Wysopal added, “Tools like Application Security Posture Management enable security professionals and development teams to prioritise and make informed decisions by pinpointing what’s exploitable, reachable, and urgent.”

As organisations navigate an increasingly complex threat landscape, prioritising security maturity is essential. Veracode’s research provides a roadmap for organisations to benchmark and improve their security posture. By addressing security debt and leveraging the best tools and practices, businesses can enhance resilience, reduce risk, and comply with evolving cybersecurity regulations.

About the State of Software Security Report

The Veracode State of Software Security 2025 is the 15th volume of the report. It analysed data from companies of all sizes, commercial software suppliers, software outsourcers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. Specifically, the data comes from:
• 1.3M unique applications with 126.4M raw findings
• 107.4M findings identified via SAST scans
• 3.9M findings identified via DAST scans
• 15M findings identified via Software Composition Analysis