Veracode launched its 15^th edition of the State of Software Security (SoSS) report. The report, based on an extensive dataset of 1.3 million unique applications and 126.4 million raw findings, highlights important trends and offers a new view of software security maturity to improve application risk management practices.

The research reveals an alarming increase in the average fix time for security flaws-from 171 days to 252 days over the past five years, and up 327 percent since the report's first volume 15 years ago. Moreover, 50 percent of organizations now carry critical security debt, defined as accumulated flaws left open for longer than a year. The majority of these vulnerabilities originate from third-party code and the software supply chain. Unresolved security debt leaves organizations open to attack, exposing them to reputational, financial, and operational damage.

Chris Wysopal, Chief Security Evangelist at Veracode, said, "The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering. Last year's report found 46 percent of organizations had high-severity security debt. While the year-on-year increase may seem marginal, it is going in the wrong direction. Our investigations provide solid evidence that organizations can drive down debt, but many need help to prioritize which vulnerabilities to tackle first."

Benchmarking Security Performance

Veracode's research also analyzed the distribution of security debt across organizations. While some have almost no debt and others are drowning in it, most fall somewhere in between, with a mix of debt-free and debt-ridden applications.

"The gap between the top 25 percent and bottom 25 percent of organizations is fascinating," Wysopal said. "The results raise the question of which factors account for the marked differences in how organizations manage security debt and what teams can do to tackle it."

Veracode's research pinpoints five key metrics that indicate security maturity and predict an organization's ability to systematically reduce risk: flaw prevalence, fix capacity, fix speed, debt prevalence, and open-source debt. The report explains each metric's importance and reveals the parameters that determine whether an organization is "leading" or "lagging."

• Flaw prevalence: Leading organizations have flaws in fewer than 43 percent of applications, while lagging organizations exceed 86 percent.
• Fix capacity: Leaders resolve over 10 percent of flaws monthly, whereas laggards address less than 1 percent.
• Fix speed: Top performers remediate half of flaws in five weeks; lower-performing organizations take longer than a year.
• Security debt prevalence: Less than 17 percent of applications in leading organizations carry security debt, compared with more than 67 percent in lagging ones.
• Open-source debt: Leading organizations keep open-source critical debt under 15 percent, while 100 percent of critical debt is open source in lagging organizations.

Wysopal said, "The research provides a helpful framework for organizations to assess their security maturity. This enables them to understand specific factors contributing to security debt, gauge each metric's importance, and benchmark their own performance against similar organizations. We offer in-depth recommendations from our experts and leading organizations on how to improve."

Cyber Regulations Drive Positive Behaviors, Boosting Application Security

On a positive note, Veracode's research found the rate of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 has increased by 63 percent over the past five years, and more than doubled in 15 years. New cybersecurity regulations in 2024, like the U.S. Securities and Exchange Commission (SEC) ruling and E.U. Cyber Resilience Act, have contributed to this trend as software vendors take a more disciplined approach to risk management.

A New View of Security Maturity

Veracode's new view of software security maturity emphasizes the need for enterprises to take a strategic, context-driven approach to managing the most urgent and exploitable risks. The report recommends two key focus areas for organizations. First, organizations must enhance visibility and integration across the entire software development life cycle, using automation and feedback loops to prevent new security flaws. Second, they should prioritize correlating and contextualizing security findings in a single view, allowing them to efficiently address their security backlog and reduce the highest risks with the least effort.

Wysopal added, "Tools like Application Security Posture Management enable security professionals and development teams to prioritize and make informed decisions by pinpointing what's exploitable, reachable, and urgent."

As organizations navigate an increasingly complex threat landscape, prioritizing security maturity is essential. Veracode's research provides a roadmap for organizations to benchmark and improve their security posture. By addressing security debt and leveraging the best tools and practices, businesses can enhance resilience, reduce risk, and comply with evolving cybersecurity regulations.

The full State of Software Security 2025 report is available to download on the Veracode website.