Listen to this Post
Rising Fix Times and Critical Security Debt
The time required to fix software security vulnerabilities has increased significantly, now averaging eight and a half months, according to Veracode’s latest State of Software Security (SoSS) report. This represents a 47% increase over the past five years and a staggering 327% rise compared to 15 years ago. The primary drivers of this trend include the growing use of third-party code and the rise of AI-generated code, which introduce new complexities and risks.
A particularly alarming finding is that 50% of organizations now have critical security debt, meaning they have left high-severity vulnerabilities unpatched for over a year. The majority of this debt (70%) originates from third-party code and the software supply chain. In total, 74.2% of organizations have accumulated some form of security debt, including lower-severity flaws.
Chris Wysopal, Chief Security Evangelist at Veracode, warns that the attack surface has become increasingly complex, especially with the rapid adoption of AI-driven engineering. While last year’s report indicated that 46% of organizations had high-severity security debt, this number has now climbed even higher—an indication that the problem is getting worse, not better.
The report also highlights major differences in how organizations handle security flaws. The top 25% of companies are able to fix more than 10% of their vulnerabilities each month, while the bottom 25% struggle to fix even 1%. Security debt is also far less common in top-performing organizations, affecting only 17% of their applications, whereas bottom-tier companies have security debt in over 67% of their apps.
Over Half of Applications Contain Critical Vulnerabilities
Veracode’s analysis of 1.3 million applications with 126.4 million raw findings revealed that:
– 56% of applications contain high-severity security vulnerabilities
- 80.3% of applications have at least one flaw
- 64% of applications contain flaws in first-party code
- 70% of applications contain flaws in third-party code
Despite these concerning figures, there has been some progress. The percentage of applications free from OWASP Top 10 vulnerabilities has risen by 63% in the past five years, from 32% in 2020 to 52% in 2025. Similarly, flaws listed in the SANS Institute Top 25 Software Errors have been declining. Additionally, Veracode’s data indicates that the prevalence of high-severity flaws has been cut in half since 2016, showing that while new risks emerge, security practices are improving in some areas.
What Undercode Says: The State of Software Security in 2025
The findings of Veracode’s latest report paint a complex picture of the modern cybersecurity landscape. While security practices have improved in some areas, the rapid expansion of third-party code, AI-generated code, and software supply chain dependencies is making vulnerability management significantly more difficult.
The Growing Threat of Security Debt
Security debt is becoming a systemic issue. With half of all organizations failing to fix high-severity vulnerabilities for over a year, attackers have a growing window of opportunity to exploit known weaknesses. This means that even if organizations are investing in better detection methods, they are still struggling with timely remediation.
The Role of AI in Security—Help or Hindrance?
AI-generated code is reshaping software development, but it also introduces new security risks. Many developers use AI-driven tools to accelerate coding without always considering security implications. AI-written code often relies on open-source components that may contain vulnerabilities, adding to the growing issue of third-party risks.
Third-Party Code: A Double-Edged Sword
The reliance on third-party libraries and frameworks has never been higher, but 70% of critical security debt now originates from third-party code. This is a significant blind spot for many organizations, as vulnerabilities in open-source packages and external dependencies can be difficult to track and fix.
Security Performance Gap—The 25% Divide
One of the report’s most striking findings is the huge gap between top and bottom-performing organizations:
- Top 25% of companies fix 10%+ of vulnerabilities each month
- Bottom 25% fix less than 1% per month
- Top companies have security debt in only 17% of apps, while bottom companies have security debt in 67%
This suggests that security culture, automation, and proactive vulnerability management play a crucial role in an organization’s ability to mitigate risks effectively.
Encouraging Signs Amidst the Challenges
Despite the increase in fix times, some metrics indicate progress in security awareness and best practices:
- The percentage of applications free from OWASP Top 10 vulnerabilities has increased from 32% in 2020 to 52% in 2025
- The prevalence of high-severity flaws has been halved since 2016
These improvements suggest that while new challenges arise, organizations that prioritize secure coding practices, DevSecOps, and continuous monitoring can significantly reduce risk.
Final Thoughts: A Call to Action
The software security landscape is evolving rapidly, but delayed fixes, AI-generated risks, and third-party dependencies remain major challenges. Organizations must:
- Adopt a proactive security mindset—Security cannot be an afterthought.
2. Improve fix times—Automate vulnerability remediation where possible.
3. Prioritize third-party code security—Regularly audit dependencies.
- Leverage AI responsibly—Use AI tools with built-in security best practices.
5. Close the security performance gap—Learn from
References:
Reported By: https://www.infosecurity-magazine.com/news/software-vulnerabilities-nine/
Extra Source Hub:
https://www.facebook.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
