Check Point® Software Technologies Ltd.(link is external) announced that it has ranked as a Leader and the only Outperformer for its Check Point Quantum(link is external) Security Solutions in GigaOm’s latest Radar for Enterprise Firewall report(link is external).
Mitigating the Risk of Security Debt: The State of Software Security in 2024
June 24, 2024
The majority of companies are drowning in security debt, making them vulnerable to attacks. And worst of all, they may not know it.
That's according to Veracode's latest State of Software Security 2024 Report, which examined more than one million applications across all scan types. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 70% of organizations and 42% of applications. This debt has accumulated over time, accelerated by digital transformations and the introduction of AI coding tools that increase the speed of development. Applications themselves, meanwhile, have grown by about 40% a year regardless of their original size, accumulating flaws as they age.
The proliferation of AI and regulatory changes, such as those put forth by the White House Executive Order(link is external) on AI and the EU Cyber Resilience Act(link is external), have raised the profile of cybersecurity and increased awareness about insecure code at scale. But there is still a lot of work required to increase education about security debt to tackle the problem.
Peeling Back the Layers of Risk
The report found 71% of organizations have some level of security debt, and that nearly half (46%) have critical security debt resulting from persistent flaws of high severity that create serious risk to a company.
Third-party code from open-source libraries significantly contributes to the volume of security debt. While 63% of applications have flaws in first-party code, 70% contain flaws in third-party code. Third-party code flaws also have an impact on remediation timelines, taking 50% longer to fix than first-party flaws. Half of the known flaws in third-party open-source code remain unresolved for more than 11 months, compared with seven months for flaws in first-party code.
And the time it takes to remediate flaws is critical to reducing debt. Our research shows the teams that fix flaws the fastest reduce critical security debt by 75% — that is, compared with the slowest teams, the fastest teams lower critical debt from 22% to just over 5%. Moreover, faster-acting teams are four times less likely to let critical security debt turn up in their applications in the first place.
Overall, however, few teams are fixing flaws fast enough to substantially reduce security debt. Only 64% of applications have a remediation capacity that's sufficient to eliminate critical security debt. Even when teams have a sufficient overall fix rate, they are not always fixing the most critical flaws.
Risk Prioritization Is Essential
When the rate of new and existing flaws exceeds an organization's capacity to remediate them, prioritizing which flaws to fix first is essential. Currently, developers may be picking the flaws that are the easiest to fix — in the interest of getting fixes done more quickly — while overlooking the flaws that will have the most impact on the organization. Teams need to focus their efforts.
Fortunately, just 3% of all flaws are persistent, high-severity flaws that constitute "critical" security debt. For most if not all development teams, fixing 3% of flaws is an eminently achievable target.
Managing Security Debt: Fix Flaws Faster
Even when prioritizing the most serious flaws, teams still need to fix flaws more quickly if they're going to reduce security debt significantly or eliminate it altogether. Artificial intelligence, while often cited as a potential threat to cybersecurity, can make accelerating code fixes a reality. Large language models (LLMs) that have been trained on specific Common Weakness Enumerations (CWEs) can be especially effective working alongside developers to suggest secure fixes at scale.
That kind of scaling is necessary to overcome the current constraints on fix capacity, where new applications and accompanying vulnerabilities are often introduced faster than teams can remediate flaws. Using AI to augment remediation brings greater speed and efficiency to the process, while also freeing developers to focus on other high-value projects.
Driving Down Security Debt
Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code.
Organizations and developers working to lower the amount of security debt need to think about the time, money and education they put behind security teams. Too often, flaw remediation is not dictated by people for whom risk management is a priority, which may be another reason security debt is so high.
Identifying and prioritizing the most critical risks, and training developers to leverage AI models for remediation at scale, can help organizations get their security debt under control.
Industry News
April 21, 2025
Postman announced new releases designed to help organizations build APIs faster, more securely, and with less friction.
April 21, 2025
SnapLogic announced AgentCreator 3.0, an evolution in agentic AI technology that eliminates the complexity of enterprise AI adoption.
April 17, 2025
GitLab announced the general availability of GitLab Duo with Amazon Q.
April 17, 2025
Perforce Software and Liquibase announced a strategic partnership to enhance secure and compliant database change management for DevOps teams.
April 17, 2025
Spacelift announced the launch of Saturnhead AI — an enterprise-grade AI assistant that slashes DevOps troubleshooting time by transforming complex infrastructure logs into clear, actionable explanations.
April 16, 2025
CodeSecure and FOSSA announced a strategic partnership and native product integration that enables organizations to eliminate security blindspots associated with both third party and open source code.
April 16, 2025
Bauplan, a Python-first serverless data platform that transforms complex infrastructure processes into a few lines of code over data lakes, announced its launch with $7.5 million in seed funding.
April 15, 2025
Perforce Software announced the launch of the Kafka Service Bundle, a new offering that provides enterprises with managed open source Apache Kafka at a fraction of the cost of traditional managed providers.
April 14, 2025
LambdaTest announced the launch of the HyperExecute MCP Server, an enhancement to its AI-native test orchestration platform, HyperExecute.
April 14, 2025
Cloudflare announced Workers VPC and Workers VPC Private Link, new solutions that enable developers to build secure, global cross-cloud applications on Cloudflare Workers.
April 14, 2025
Nutrient announced a significant expansion of its cloud-based services, as well as a series of updates to its SDK products, aimed at enhancing the developer experience by allowing developers to build, scale, and innovate with less friction.
April 10, 2025
Check Point® Software Technologies Ltd.(link is external) announced that its Infinity Platform has been named the top-ranked AI-powered cyber security platform in the 2025 Miercom Assessment.
April 10, 2025
Orca Security announced the Orca Bitbucket App, a cloud-native seamless integration for scanning Bitbucket Repositories.
April 10, 2025
The Live API for Gemini models is now in Preview, enabling developers to start building and testing more robust, scalable applications with significantly higher rate limits.
