webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Mitigating the Risk of Security Debt: The State of Software Security in 2024
June 24, 2024
The majority of companies are drowning in security debt, making them vulnerable to attacks. And worst of all, they may not know it.
That's according to Veracode's latest State of Software Security 2024 Report, which examined more than one million applications across all scan types. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 70% of organizations and 42% of applications. This debt has accumulated over time, accelerated by digital transformations and the introduction of AI coding tools that increase the speed of development. Applications themselves, meanwhile, have grown by about 40% a year regardless of their original size, accumulating flaws as they age.
The proliferation of AI and regulatory changes, such as those put forth by the White House Executive Order(link is external) on AI and the EU Cyber Resilience Act(link is external), have raised the profile of cybersecurity and increased awareness about insecure code at scale. But there is still a lot of work required to increase education about security debt to tackle the problem.
Peeling Back the Layers of Risk
The report found 71% of organizations have some level of security debt, and that nearly half (46%) have critical security debt resulting from persistent flaws of high severity that create serious risk to a company.
Third-party code from open-source libraries significantly contributes to the volume of security debt. While 63% of applications have flaws in first-party code, 70% contain flaws in third-party code. Third-party code flaws also have an impact on remediation timelines, taking 50% longer to fix than first-party flaws. Half of the known flaws in third-party open-source code remain unresolved for more than 11 months, compared with seven months for flaws in first-party code.
And the time it takes to remediate flaws is critical to reducing debt. Our research shows the teams that fix flaws the fastest reduce critical security debt by 75% — that is, compared with the slowest teams, the fastest teams lower critical debt from 22% to just over 5%. Moreover, faster-acting teams are four times less likely to let critical security debt turn up in their applications in the first place.
Overall, however, few teams are fixing flaws fast enough to substantially reduce security debt. Only 64% of applications have a remediation capacity that's sufficient to eliminate critical security debt. Even when teams have a sufficient overall fix rate, they are not always fixing the most critical flaws.
Risk Prioritization Is Essential
When the rate of new and existing flaws exceeds an organization's capacity to remediate them, prioritizing which flaws to fix first is essential. Currently, developers may be picking the flaws that are the easiest to fix — in the interest of getting fixes done more quickly — while overlooking the flaws that will have the most impact on the organization. Teams need to focus their efforts.
Fortunately, just 3% of all flaws are persistent, high-severity flaws that constitute "critical" security debt. For most if not all development teams, fixing 3% of flaws is an eminently achievable target.
Managing Security Debt: Fix Flaws Faster
Even when prioritizing the most serious flaws, teams still need to fix flaws more quickly if they're going to reduce security debt significantly or eliminate it altogether. Artificial intelligence, while often cited as a potential threat to cybersecurity, can make accelerating code fixes a reality. Large language models (LLMs) that have been trained on specific Common Weakness Enumerations (CWEs) can be especially effective working alongside developers to suggest secure fixes at scale.
That kind of scaling is necessary to overcome the current constraints on fix capacity, where new applications and accompanying vulnerabilities are often introduced faster than teams can remediate flaws. Using AI to augment remediation brings greater speed and efficiency to the process, while also freeing developers to focus on other high-value projects.
Driving Down Security Debt
Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code.
Organizations and developers working to lower the amount of security debt need to think about the time, money and education they put behind security teams. Too often, flaw remediation is not dictated by people for whom risk management is a priority, which may be another reason security debt is so high.
Identifying and prioritizing the most critical risks, and training developers to leverage AI models for remediation at scale, can help organizations get their security debt under control.
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
