The average fix time for security flaws in software is getting longer – from 171 days to 252 days over the past five years, according to the 15th edition of the State of Software Security (SoSS) report by a software security firm. Half of organisations now carry critical security debt, defined as accumulated flaws left open for longer than a year. Most of these vulnerabilities originate from third-party code and the software supply chain. Unresolved security debt leaves organisations open to attack, according to the study.
Chris Wysopal, Chief Security Evangelist at Veracode, said: “The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering. Last year’s report found 46 percent of organisations had high-severity security debt. While the year-on-year increase may seem marginal, it is going in the wrong direction. Our investigations provide solid evidence that organisations can drive down debt, but many need help to prioritise which vulnerabilities to tackle first.”
Security debt
As for ‘security debt‘, while some businesses have almost none and others are drowning in it, most fall somewhere in between, with a mix of debt-free and debt-ridden applications, the study suggests. Wysopal said: “The gap between the top 25 percent and bottom 25 percent of organisations is fascinating. The results raise the question of which factors account for the marked differences in how organisations manage security debt and what teams can do to tackle it.”
The research found the rate of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 has increased by 63 percent over the past five years, and more than doubled in 15 years. New cybersecurity regulations in 2024, like the United States’ Securities and Exchange Commission (SEC) ruling and European Union Cyber Resilience Act, have contributed to this trend as software vendors take a more disciplined approach to risk management, the report said.
Visit www.veracode.com.
