Security debt, defined as flaws that remain unfixed for longer than a year, exists in 42% of applications and 71% of organizations, according to Veracode.
Worryingly, 46% of organizations have persistent, high-severity flaws that constitute ‘critical’ security debt, putting businesses at serious risk in terms of impact on confidentiality, integrity, and availability.
According to the report, 63% of applications have flaws in first-party code, while 70% contain flaws in third-party code imported via third-party libraries.
This highlights the importance of testing both types throughout the software development life cycle. Remediation rates also vary by flaw type—fixing third-party flaws takes 50% longer, with half the known flaws fixed after 11 months, compared to seven months for first-party flaws.
Significant drop in high-severity app flaws
There is good news, however: high-severity security flaws in applications have decreased by half since 2016, indicating progress in software security practices and that speed of remediation has a material impact on critical security debt.
The report reveals development teams that fix flaws the fastest reduce critical security debt by 75%—from 22.4% of applications to just over 5%. Moreover, these fast-acting teams are four times less likely to let critical security debt materialize in their applications in the first place.
“While we continue to see improvements in the security landscape, these findings are a wake-up call for organizations to address their security debt head-on. By prioritizing flaw remediation, focusing on third-party code security, and adopting efficient development practices, organizations can significantly reduce their security debt and enhance the overall state of software security across the board,” said Chris Eng, Chief Research Officer at Veracode.
In an era where AI is rapidly revolutionizing software development, the report highlights a concerning trend. Eng said, “Despite the speed and efficiency AI brings to software development, it does not necessarily produce code that’s secure. Research has shown that 36% of code generated by GitHub CoPilot contains security flaws.”
This proliferation of insecure code at scale poses a significant risk to organizations and the software supply chain, leading to the accumulation of security debt over time.
New era of software security with AI
The research also found remediation capacity among teams to be constrained, with only 64% of applications having a remediation capacity that’s sufficient to eliminate critical security debt.
In fact, only two out of ten applications show an average monthly fix rate that exceeds 10% of all security flaws. This suggests, even in cases where teams’ fix capacity is sufficient, they are not prioritizing critical flaws.
Despite this, there is hope for success. Only 3% of all flaws constitute critical security debt, and this subset represents the largest risk exposure for applications. By prioritizing that 3%, organizations can achieve maximum risk reduction with focused effort.
“AI also paves the way for a new frontier in software security by empowering organizations to scale remediation efforts and more easily address the long backlog of security debt, as well as new flaws that emerge,” Eng concluded.