In recent news, it has been reported that the average fix time for software security vulnerabilities has increased significantly over the past five years. According to Veracode’s latest State of Software Security (SoSS) report, the average fix time now stands at eight and a half months, representing a 47% increase from five years ago. This rise in fix time is also a substantial 327% higher compared to 15 years ago, primarily attributed to the growing reliance on third-party code and the use of AI-generated code.
One alarming statistic highlighted in the report is that half of all organizations have critical security debt, which is defined as accumulated high severity vulnerabilities left open for longer than a year. This critical security debt is largely attributed to third-party code and issues within the software supply chain, accounting for over two-thirds of all security debt across organizations. Additionally, it was found that approximately three-quarters of organizations have some form of security debt, including lower severity flaws.
Chris Wysopal, Chief Security Evangelist at Veracode, expressed concern over the increasing complexity of the attack surface, particularly with the rapid growth of AI engineering. Wysopal noted that while last year’s report indicated that 46% of organizations had high-severity security debt, the year-on-year increase is a troubling trend that needs to be addressed.
The report also identified significant disparities in the ability of organizations to find and fix software flaws. The top 25% of organizations were shown to fix more than 10% of their software flaws monthly, while the bottom 25% fixed less than 1% of vulnerabilities monthly. Furthermore, the top-performing organizations had security debt in less than 17% of their applications, compared to over 67% for the bottom-performing organizations.
In analyzing 1.3 million unique applications containing 126.4 million raw findings, the researchers found that more than half of apps contain high severity security vulnerabilities, with 80.3% containing any type of flaw. The report also revealed that around two-thirds of apps have flaws in first-party code, while 70% of apps have flaws in third-party code.
Despite these concerning findings, there were some positive trends noted in the report. The proportion of apps without any flaws within the OWASP Top 10 vulnerabilities list has increased by 63% in the past five years, from 32% in 2020 to 52% in 2025. Additionally, there has been a steady decline in apps containing flaws listed in the SANS Institute Top 25 Software errors list.
Overall, Veracode’s report highlights the ongoing challenges organizations face in addressing software security vulnerabilities and the urgent need for improved practices in finding and fixing flaws. With the evolving threat landscape and increasing complexity of software development, it is crucial for organizations to prioritize security measures to ensure the protection of their systems and data.