DEVOPSdigest

The majority of companies are drowning in security debt, making them vulnerable to attacks. And worst of all, they may not know it.

That's according to Veracode's latest State of Software Security 2024 Report, which examined more than one million applications across all scan types. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 70% of organizations and 42% of applications. This debt has accumulated over time, accelerated by digital transformations and the introduction of AI coding tools that increase the speed of development. Applications themselves, meanwhile, have grown by about 40% a year regardless of their original size, accumulating flaws as they age.

The proliferation of AI and regulatory changes, such as those put forth by the White House Executive Order on AI and the EU Cyber Resilience Act, have raised the profile of cybersecurity and increased awareness about insecure code at scale. But there is still a lot of work required to increase education about security debt to tackle the problem.

Peeling Back the Layers of Risk

The report found 71% of organizations have some level of security debt, and that nearly half (46%) have critical security debt resulting from persistent flaws of high severity that create serious risk to a company.

Third-party code from open-source libraries significantly contributes to the volume of security debt. While 63% of applications have flaws in first-party code, 70% contain flaws in third-party code. Third-party code flaws also have an impact on remediation timelines, taking 50% longer to fix than first-party flaws. Half of the known flaws in third-party open-source code remain unresolved for more than 11 months, compared with seven months for flaws in first-party code.

And the time it takes to remediate flaws is critical to reducing debt. Our research shows the teams that fix flaws the fastest reduce critical security debt by 75% — that is, compared with the slowest teams, the fastest teams lower critical debt from 22% to just over 5%. Moreover, faster-acting teams are four times less likely to let critical security debt turn up in their applications in the first place.

Overall, however, few teams are fixing flaws fast enough to substantially reduce security debt. Only 64% of applications have a remediation capacity that's sufficient to eliminate critical security debt. Even when teams have a sufficient overall fix rate, they are not always fixing the most critical flaws.

Risk Prioritization Is Essential

When the rate of new and existing flaws exceeds an organization's capacity to remediate them, prioritizing which flaws to fix first is essential. Currently, developers may be picking the flaws that are the easiest to fix — in the interest of getting fixes done more quickly — while overlooking the flaws that will have the most impact on the organization. Teams need to focus their efforts.

Fortunately, just 3% of all flaws are persistent, high-severity flaws that constitute "critical" security debt. For most if not all development teams, fixing 3% of flaws is an eminently achievable target.

Managing Security Debt: Fix Flaws Faster

Even when prioritizing the most serious flaws, teams still need to fix flaws more quickly if they're going to reduce security debt significantly or eliminate it altogether. Artificial intelligence, while often cited as a potential threat to cybersecurity, can make accelerating code fixes a reality. Large language models (LLMs) that have been trained on specific Common Weakness Enumerations (CWEs) can be especially effective working alongside developers to suggest secure fixes at scale.

That kind of scaling is necessary to overcome the current constraints on fix capacity, where new applications and accompanying vulnerabilities are often introduced faster than teams can remediate flaws. Using AI to augment remediation brings greater speed and efficiency to the process, while also freeing developers to focus on other high-value projects.

Driving Down Security Debt

Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code.

Organizations and developers working to lower the amount of security debt need to think about the time, money and education they put behind security teams. Too often, flaw remediation is not dictated by people for whom risk management is a priority, which may be another reason security debt is so high.

Identifying and prioritizing the most critical risks, and training developers to leverage AI models for remediation at scale, can help organizations get their security debt under control.