Organizations are taking longer to fix security flaws in their software, and the security debt involved is becoming increasingly critical as a result.
According to application security vendor Veracode’s latest State of Software Security report, the average fix time for security flaws has increased from 171 days to 252 days over the past five years.
Moreover, half (50%) of organizations now carry high-risk security debt, defined as accumulated flaws left open for longer than a year. The majority of these flaws originate from third-party code and the software supply chain — an ongoing source of considerable risk despite increasing attention.
Although the 50% figure from 2025 is up only marginally from the 46% finding on high-risk security debt from the 2024 edition of Veracode’s annual study, the finding is still concerning because the figure is trending in the wrong direction. It also indicates that the number of organizations carrying high-risk security debt increased by nearly 10% over the past year.
Chris Wysopal, co-founder at chief security evangelist at Veracode, told CSO that one aspect of application security that has gotten progressively worse over the years is the time it takes to fix flaws.
“There are many reasons for this, but the ever-growing scope and complexity of the software ecosystem is a core issue,” Wysopal said. “Organizations have more applications and vastly more code to keep on top of, and this will only increase as more teams adopt AI for code generation” — an issue compounded by the potential security implications of AI-generated code across in-house software and third-party dependencies alike.
Applying risk reduction and security maturity strategies
Veracode’s study found marked differences in how organizations manage security debt, with big gaps between the best and worst performers. According to Veracode, five key metrics offer a means to gauge security maturity and ways to improve an organization’s ability to systematically reduce risk:
Flaw prevalence: Leading organizations have flaws in fewer than 43% of applications, while lagging organizations exceed 86%.
Fix capacity: Leaders resolve over 10% of flaws monthly, whereas laggards address less than 1%.
Fix speed: Top performers remediate half of flaws in five weeks; lower-performing organizations take longer than a year.
Security debt prevalence: Less than 17% of applications in leading organizations carry security debt, compared with more than 67% in lagging ones.
Open-source debt: Leading organizations keep open-source critical debt under 15%, whereas 100% of critical debt is open source in lagging organizations.
Steps to improve security maturity include enhancing visibility and integration across the software development life cycle, using automation and feedback loops to prevent new security flaws. Veracode further argues that organizations should prioritize correlating and contextualizing security findings in a single view.
“Most organizations suffer from fragmented visibility over the software flaws and risks within their applications, with sprawling toolsets that create ‘alert fatigue’ at the same time as silos of data to interpret and make decisions about,” Wysopal said. “The key factors that help them address the security backlog are the ability to prioritize remediation of flaws based on risk.”
Veracode’s study is based on findings about 1.3 million unique applications that were subjected to a combination of static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. Software packages put through their paces came from companies of all sizes, commercial software suppliers, software outsourcers, and open-source projects.
Supply chain risks
On open-source security debt specifically, application security firm Black Duck reports that an analysis of 965 commercial codebases across 16 industries found that 86% of commercial codebases contained open-source software vulnerabilities and 81% contained high- or critical-risk vulnerabilities.
Eight of the top ten high-risk vulnerabilities covered in Black Duck’s Open Source Security and Risk Analysis report were found in jQuery, a widely used JavaScript library.
The most frequently found high-risk vulnerability was CVE-2020-11023, an XSS vulnerability affecting outdated versions of jQuery, but still present in a third of scanned codebases.
The supply chain risk from vulnerabilities that originate from third-party and open-source code can be mitigated by continuously scanning code throughout the software development life cycle, Veracode advises. Enterprises should modernize their operations to ensure updating, testing, and deploying a new version of a custom application is as efficient as possible.
“Software composition analysis (SCA) achieves this by detecting and managing the risks of third-party and open-source software components through an automated process,” Wysopal said. “It generates software bills of materials (SBOM), scans for vulnerabilities, assesses risk, and provides remediation guidance.”
Debt reduction program
By addressing security debt and leveraging best practices, businesses can enhance resilience, reduce risk, and comply with evolving cybersecurity regulations, according to Veracode. The application security specialist offers a run-down of factors that help develop an effective strategy for reducing security debt:
Automated testing: Integrate SAST, DAST, SCA, and other automated testing frameworks into CI/CD to catch flaws early.
Risk-based policies: Focus on easily exploitable, high-severity flaws, and enforce strict “no-ship” standards.
Empowered developers: Provide training, designate security champions, and treat security tasks like normal dev work.
An accountability culture: Track vulnerabilities alongside functional bugs and fix them as they appear.
Open-source oversight: Maintain a clear inventory of libraries, update them regularly, and automate checks.
Discipline: While resources help, coherent strategy and strong processes matter more. Even smaller teams, if well-aligned and disciplined, often outperform larger ones with weaker focus.
No Responses