Mitigating the Risk of Security Debt: The State of Software Security in 2024
June 24, 2024

Chris Wysopal
Veracode

The majority of companies are drowning in security debt, making them vulnerable to attacks. And worst of all, they may not know it.

That's according to Veracode's latest State of Software Security 2024 Report, which examined more than one million applications across all scan types. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 70% of organizations and 42% of applications. This debt has accumulated over time, accelerated by digital transformations and the introduction of AI coding tools that increase the speed of development. Applications themselves, meanwhile, have grown by about 40% a year regardless of their original size, accumulating flaws as they age.

The proliferation of AI and regulatory changes, such as those put forth by the White House Executive Order(link is external) on AI and the EU Cyber Resilience Act(link is external), have raised the profile of cybersecurity and increased awareness about insecure code at scale. But there is still a lot of work required to increase education about security debt to tackle the problem.


Peeling Back the Layers of Risk

The report found 71% of organizations have some level of security debt, and that nearly half (46%) have critical security debt resulting from persistent flaws of high severity that create serious risk to a company.

Third-party code from open-source libraries significantly contributes to the volume of security debt. While 63% of applications have flaws in first-party code, 70% contain flaws in third-party code. Third-party code flaws also have an impact on remediation timelines, taking 50% longer to fix than first-party flaws. Half of the known flaws in third-party open-source code remain unresolved for more than 11 months, compared with seven months for flaws in first-party code.

And the time it takes to remediate flaws is critical to reducing debt. Our research shows the teams that fix flaws the fastest reduce critical security debt by 75% — that is, compared with the slowest teams, the fastest teams lower critical debt from 22% to just over 5%. Moreover, faster-acting teams are four times less likely to let critical security debt turn up in their applications in the first place.

Overall, however, few teams are fixing flaws fast enough to substantially reduce security debt. Only 64% of applications have a remediation capacity that's sufficient to eliminate critical security debt. Even when teams have a sufficient overall fix rate, they are not always fixing the most critical flaws.

Risk Prioritization Is Essential

When the rate of new and existing flaws exceeds an organization's capacity to remediate them, prioritizing which flaws to fix first is essential. Currently, developers may be picking the flaws that are the easiest to fix — in the interest of getting fixes done more quickly — while overlooking the flaws that will have the most impact on the organization. Teams need to focus their efforts.

Fortunately, just 3% of all flaws are persistent, high-severity flaws that constitute "critical" security debt. For most if not all development teams, fixing 3% of flaws is an eminently achievable target.

Managing Security Debt: Fix Flaws Faster

Even when prioritizing the most serious flaws, teams still need to fix flaws more quickly if they're going to reduce security debt significantly or eliminate it altogether. Artificial intelligence, while often cited as a potential threat to cybersecurity, can make accelerating code fixes a reality. Large language models (LLMs) that have been trained on specific Common Weakness Enumerations (CWEs) can be especially effective working alongside developers to suggest secure fixes at scale.

That kind of scaling is necessary to overcome the current constraints on fix capacity, where new applications and accompanying vulnerabilities are often introduced faster than teams can remediate flaws. Using AI to augment remediation brings greater speed and efficiency to the process, while also freeing developers to focus on other high-value projects.

Driving Down Security Debt

Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code.

Organizations and developers working to lower the amount of security debt need to think about the time, money and education they put behind security teams. Too often, flaw remediation is not dictated by people for whom risk management is a priority, which may be another reason security debt is so high.

Identifying and prioritizing the most critical risks, and training developers to leverage AI models for remediation at scale, can help organizations get their security debt under control.

Chris Wysopal is Co-Founder and CTO of Veracode
Share this

Industry News

April 07, 2025

Appfire announced its launch of the Appfire Cloud Advantage Alliance.

April 07, 2025

Salt Security announced API integrations with the CrowdStrike Falcon® platform to enhance and accelerate API discovery, posture governance and threat protection.

April 07, 2025

Lucid Software has acquired airfocus, an AI-powered product management and roadmapping platform designed to help teams prioritize and build the right products faster.

April 03, 2025

StackGen has partnered with Google Cloud Platform (GCP) to bring its platform to the Google Cloud Marketplace.

April 03, 2025

Tricentis announced its spring release of new cloud capabilities for the company’s AI-powered, model-based test automation solution, Tricentis Tosca.

April 03, 2025

Lucid Software has acquired airfocus, an AI-powered product management and roadmapping platform designed to help teams prioritize and build the right products faster.

April 03, 2025

AutonomyAI announced its launch from stealth with $4 million in pre-seed funding.

April 02, 2025

Kong announced the launch of the latest version of Kong AI Gateway, which introduces new features to provide the AI security and governance guardrails needed to make GenAI and Agentic AI production-ready.

April 02, 2025

Traefik Labs announced significant enhancements to its AI Gateway platform along with new developer tools designed to streamline enterprise AI adoption and API development.

April 02, 2025

Zencoder released its next-generation AI coding and unit testing agents, designed to accelerate software development for professional engineers.

April 02, 2025

Windsurf (formerly Codeium) and Netlify announced a new technology partnership that brings seamless, one-click deployment directly into the developer's integrated development environment (IDE.)

April 02, 2025

Opsera raised $20M in Series B funding.

April 02, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, is making significant updates to its certification offerings.

April 01, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the Golden Kubestronaut program, a distinguished recognition for professionals who have demonstrated the highest level of expertise in Kubernetes, cloud native technologies, and Linux administration.

April 01, 2025

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade internal developer portal based on the Backstage project.