From Data to Action: Key Insights About Advancing Security Practices

Katy Gwilliam

By Katy Gwilliam

The cybersecurity landscape is in constant flux, shaped by emerging technologies, evolving threats, and increasing regulatory demands. As organisations strive to protect their digital ecosystems, the challenge isn’t just collecting data—it’s turning that data into actionable strategies that drive meaningful change. 

Next week, we’ll unveil the 16th edition of Veracode’s flagship State of Software Security (SoSS) report—a cornerstone of the cybersecurity calendar. One analyst likened it to “receiving the Sears catalogue at Christmas,” and with good reason. It’s one of the industry’s most comprehensive analyses of how organisations are tackling application risk management. 

This year’s report promises to deliver fresh insights into the evolving AI-driven security landscape, from critical security debt to the ever-pressing challenges of software supply chain security. We’ll examine what’s improved and areas that still need attention from security practitioners. But before we dive into what’s next, let’s take a moment to reflect on the impact of last year’s report and why it continues to be a must-read for security professionals worldwide. 

2025 in Review: A Snapshot of Security Maturity 

The 2025 SoSS report introduced a groundbreaking “new view of maturity,” comparing the top and bottom 25% of organisations across five key metrics: Flaw Prevalence, Fix Capacity, Fix Speed, Security Debt Prevalence, and Open-Source Critical Debt. These metrics offered a clear lens into how organisations systematically reduce risk—or fall behind. 

Based on an analysis of 1.3 million unique applications and 126.4 million raw findings, the report revealed the extent of security debt, primary drivers of risk, and strategies for remediation. It also uncovered both progress and persistent challenges in these areas.  

Against the backdrop of regulations like the U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling and the E.U. Cyber Resilience Act, last year’s report highlighted a shift toward more disciplined risk management. Yet, it also underscored the need for a strategic, context-driven approach to tackling exploitable vulnerabilities. 

Global Impact: The Numbers Speak for Themselves 

The 2025 report didn’t just make waves—it generated widespread media interest across the globe. Here’s a snapshot of its reach and influence among reporters: 

  • Global Reach: Our press release alone reached a potential audience of 208.3 million and was viewed more than 10,500 times.  
  • Media Coverage: 113 journalists from the U.S., U.K., France, Italy, Australia, and beyond covered the report, including Dan Raywood for SC Magazine, Alan Shimel at Techstrong TV, Christian Vasquez at Fortune, and David Jones at Cybersecurity Dive. Editorial media coverage reached around 380 million readers worldwide, with a UVM (unique visitors per month) of 59 million in the first month. 
  • Diverse Audience: The report resonated with a broad spectrum of readers, from CISOs and IT leaders to DevOps professionals and public sector decision-makers. 

Why the State of Software Security Matters More Than Ever 

The SoSS report isn’t just a collection of data; it’s a catalyst for change. It sparks conversations, influences strategies, and helps organisations benchmark their security maturity. Last year’s findings inspired countless discussions about the future of application risk management, and this year’s report is poised to do the same on an even larger scale. 

Without giving too much away, I can tell you this: the 2026 report will shine a light on emerging trends and offer actionable insights that could redefine how organisations approach security. From the rise of AI-driven threats to the growing importance of software supply chain security, this year’s report is packed with insights you won’t want to miss. 

Stay Tuned for the Big Reveal 

As we gear up for the launch of SoSS’s sweet 16, we invite you to join us in celebrating the progress we’ve made and the challenges that lie ahead. Mark your calendars for the report’s launch on 24 February, and sign up for the webinar on 26 February 2026 for a deep dive into this year’s critical findings and the key trends driving software security in the AI era. 

Here’s to another year of driving innovation, reducing risk, and making the digital world a safer place. 

Feb 19, 2026

Hiding in Plain Pixels: Malicious NPM Package Found

Read More
Veracode Threat Research

Veracode Threat Research

Feb 17, 2026

Open Source Supply Chain Security: Best Practices

Read More
Natalie Tischler

Natalie Tischler

Feb 12, 2026

Secure AI Code Generation: From Policy to Practice

Read More
Natalie Tischler

Natalie Tischler

By Katy Gwilliam

Katy Gwilliam is Head of Global Communications at Veracode, where she leads the company’s worldwide communications strategy, driving brand reputation, media engagement, and thought leadership across key markets. Since joining in 2020, she has expanded Veracode’s global media presence and driven campaigns that secured top-tier coverage in outlets including Forbes, the BBC, and The Wall Street Journal. With 17 years’ experience in marketing and communications, Katy has led transformative brand initiatives for iProspect, Dunnhumby, DMGT, and Telegraph Media Group. She holds a Bachelor of Arts (Honors) degree in English from the University of York.