DEVOPSdigest

Enterprises across the world are under attack, and it's getting harder for them to defend themselves.

According to Verizon's Data Breach Investigations Report, exploitation of software vulnerabilities as the critical path to initiate a breach has surged 180% in the past year. This spike in exploitation coincides with rising security debt and increasingly intricate attack surfaces. The situation is further complicated by a poorly kept secret in the software engineering world: the use of artificial intelligence to generate code, which is on the rise with most development teams — whether they'll admit it or not.

The regulatory landscape is also evolving rapidly. The EU's Cyber Resilience Act went into effect in December 2024 and has real teeth, serving as a market entry barrier for products deemed non-compliant. Here in the US, new rules from the Securities and Exchange Commission (SEC) combined with Biden-era executive orders have propelled companies to adopt prevention strategies based on Zero Trust network architectures and Secure by Design principles.

The regulatory pressures facing companies have made a difference. Recent data from Veracode's 2025 State of Software Security (SoSS) report shows that the percentage of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 tests has increased by 63% over the past five years — a significant improvement. More notably, the prevalence of high-severity flaws has been cut in half over the past decade, demonstrating tangible progress in secure software development practices.

The Growing Threat of Security Debt

Unfortunately, regulations are not a silver bullet. Despite measurable improvements, security debt — defined as flaws that remain unfixed for more than a year after discovery — continues to put enterprises at risk. Security debt impacts almost three-quarters (74.2%) of organizations, up from 71% in previous measurements. More frighteningly, half of all organizations suffer from critical security debt: a dangerous combination of high-severity, long-unresolved flaws.

There's a reason it is described as critical debt: the longer a security flaw survives within an enterprise, the less likely it will be resolved. Today, more than a quarter (28%) of flaws remain open two years after discovery, and even after five years, 9% of flaws still linger in applications. The time it takes to fix just 50% of discovered enterprise security vulnerabilities checks in at just over eight months.

Perhaps more concerning is that severity isn't a major driver of remediation for most teams. Critical flaws are addressed only about a month sooner than less severe findings, which tells us that organizations aren't always prioritizing the most dangerous vulnerabilities. And more bad news: the average number of days to fix flaws has increased by 47% over the past five years — a clear indication that remediation timelines are getting longer, not shorter.

Third-Party Code Amplifies Security Risks

Applications are only as secure as the code used to write them, and security flaws are a fact of life in every code base in the world. That being said, the origin of the code that is being used matters. Leveraging third-party code has become standard practice across the industry, which introduces added risks. The report revealed roughly 70% of tested applications contain flaws in third-party code — 6% higher than the flaw prevalence for code written by in-house developers. Furthermore, when examining critical security debt, 70% is introduced by third-party code and the software supply chain.

While this doesn't mean every line of code needs to be developed in-house, it underscores the importance of evaluating open-source code libraries before incorporating them into a project's code base. The significance of detecting and mitigating malicious packages before they enter the build process cannot be overstated.

Wide Disparities in Application Security Performance

The reality is that no organization achieves perfection in application security. On average, security flaws are present in roughly two-thirds of applications across most enterprises. The most security-mature leaders manage to keep flaw prevalence below 43%. On the other end of the spectrum, lagging organizations struggle, with 86% (or more) of their applications containing security flaws.

Fix capacity — the percentage of flaws remediated monthly — also varies dramatically across organizations. Leading teams consistently fix more than 10% of their flaws each month, while low performing companies clock in at just 1%. This stark difference in remediation capacity directly impacts an organization's security posture over time. Those on the lower end of the spectrum can't help but rack up more and more security debt as time goes by.

A Two-Pronged Approach to Maturing Software Security

Regardless of whether you're a high-performing company, somewhere in the middle, or lagging, every organization has room for improvement. To mature software security program efforts in a way that aligns with business objectives, companies need to adopt a two-pronged approach that starts with visibility and integration across the software development life cycle (SDLC) to prevent new flaws through automation and feedback loops. This involves continual scanning as developers write code, enabling development teams to catch and remediate issues before they become a problem.

Secondly, organizations need the ability to correlate and contextualize findings in a single view to prioritize their backlog based on context. This allows companies to reduce the most risk with the least effort. Since the average time to fix flaws has increased dramatically, programs seeking to improve their security posture must focus on the findings that matter most in their specific context. If everything is a priority, nothing is a priority; this approach underscores the idiom.

It's not all doom and gloom for security teams tasked with software security; there is a silver lining. With advances in AI, a sustainable process for continual remediation has become more achievable. So much existing security debt stems from simple, easily detected flaws that AI can address and stamp out at scale. In fact, high-performing teams are already using these capabilities to boost their fix capacity and speed.

Addressing the issue is a simple matter of proper prioritization. By focusing security teams on security debt and training them to implement fixes or leverage AI effectively, companies can reduce existing vulnerabilities significantly. At the same time, they can slow security debt accumulation across the organization, improving security posture and mitigating their risk of exploitation.