04 March 2025
Veracode has launched its 15th edition of the State of Software Security (SoSS) report which highlights important trends and offers a new view of software security maturity to improve application risk management practices..jpg?lu=437)
The research reveals an alarming increase in the average fix time for security flaws — from 171 days to 252 days over the past five years, and up 327% since the report’s first volume 15 years ago. Moreover, 50% of organisations now carry critical security debt, defined as accumulated flaws left open for longer than a year. Most of these vulnerabilities originate from third-party code and the software supply chain. Unresolved security debt leaves organisations open to attack, exposing them to reputational, financial, and operational damage.
“The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering. Last year’s report found 46% of organisations had high-severity security debt. While the year-on-year increase may seem marginal, it is going in the wrong direction. Our investigations provide solid evidence that organisations can drive down debt, but many need help to prioritise which vulnerabilities to tackle first,” said Chris Wysopal, Chief Security Evangelist at Veracode.
Veracode’s research also analysed the distribution of security debt across organisations. While some have almost no debt and others are drowning in it, most fall somewhere in between, with a mix of debt-free and debt-ridden applications.
“The gap between the top 25% and bottom 25% of organisations is fascinating,” Wysopal said. “The results raise the question of which factors account for the marked differences in how organisations manage security debt and what teams can do to tackle it.”
Veracode’s research pinpoints five key metrics that indicate security maturity and predict an organisation’s ability to systematically reduce risk: flaw prevalence, fix capacity, fix speed, debt prevalence, and open-source debt. The report explains each metric’s importance and reveals the parameters that determine whether an organisation is ‘leading’ or ‘lagging.’
• Flaw prevalence: Leading organisations have flaws in fewer than 43% of applications, while lagging organisations exceed 86%.
• Fix capacity: Leaders resolve over 10% of flaws monthly, whereas laggards address less than 1%.
• Fix speed: Top performers remediate half of flaws in five weeks; lower-performing organisations take longer than a year.
• Security debt prevalence: Less than 17% of applications in leading organisations carry security debt, compared with more than 67% in lagging ones.
• Open-source debt: Leading organisations keep open-source critical debt under 15%, while 100% of critical debt is open source in lagging organisations.
“The research provides a helpful framework for organisations to assess their security maturity. This enables them to understand specific factors contributing to security debt, gauge each metric’s importance, and benchmark their own performance against similar organisations. We offer in-depth recommendations from our experts and leading organisations on how to improve,” said Wysopal.
Veracode’s new view of software security maturity emphasises the need for enterprises to take a strategic, context-driven approach to managing the most urgent and exploitable risks. The report recommends two key focus areas for organisations. First, organisations must enhance visibility and integration across the entire software development life cycle, using automation and feedback loops to prevent new security flaws. Second, they should prioritise correlating and contextualising security findings in a single view, allowing them to efficiently address their security backlog and reduce the highest risks with the least effort.
