/feb 14, 2024

Addressing the Threat of Security Debt: Unveiling the State of Software Security 2024

By Chris Eng

Today, I’m proud to share our 14th annual State of Software Security report. Our 2024 report shines a spotlight on the pressing issue of security debt in applications, and it provides a wake-up call to organizations worldwide. The demand for speed and innovation has resulted in the accumulation of risk known as security debt. As Chief Research Officer at Veracode, I’m deeply committed to empowering businesses to confront the challenges posed by security debt. Let’s dive in. 

The Changing Landscape of Software and Cybersecurity  

Our 2024 report research began based on findings from our 2023 report. We explored factors that affect flaw introduction, remediation times, and security debt. We found that applications grow by about 40% year on year irrespective of their original size. As these apps grow and age, flaws accumulate, further driving up security debt. 

This year we sought to figure out, “How risky is security debt really? Is it worth tackling? And if it’s worth tackling, what’s the best way to do it?” 

A few landscape factors went into this thinking, too, starting with digital transformation. According to Harvard Business Review: “89% of large companies globally have a digital and AI transformation underway”. Speaking of AI, a GitHub study reports: “92% of U.S.-based developers are already using AI coding tools both in and outside of work.” While these advancements bring numerous benefits, they also introduce new cybersecurity challenges. 

Studies1 have repeatedly shown that code developed by AI contains about the same percentage of security flaws as that generated by humans. So, while AI may accelerate code velocity, it’s likely to also accelerate the introduction of new flaws. 

This need for speed and innovation has led to the potential for an even greater accumulation of security debt, where flaws remain unfixed for extended periods – but to what extent does this accumulation lead to risk? The key findings are even more than we bargained for. 

Unveiling the Key Findings 

For the purposes of the report, we are defining security debt as flaws that remain unremediated for over one year. Different organizations will have different standards for what constitutes debt, but, for the purposes of analysis, it’s more straightforward if we draw a single line and stick with it. 

The State of Software Security 2024 report reveals that security debt exists in 42% of applications and a staggering 71% of organizations. Even more concerning is the fact that 46% of organizations have persistent, high-severity flaws that constitute 'critical' security debt. These vulnerabilities pose a significant risk to businesses, as we define severity as the potential impact on confidentiality, integrity, and availability. 

Data showing 70.8% of organizations have security debt and 45.9% have critical security debt

Securing the Software Supply Chain: The Role of Third-Party Code 

Where does all this security debt live? One of the major contributors to security debt is the use of third-party code from open-source libraries. Our research shows that approximately 70% of applications contain flaws in third-party code. Fixing these vulnerabilities takes organizations 50% longer than fixing first-party flaws, with half of the known open-source flaws remaining unresolved for eleven months.

graph showing percent of security debt in third-party and first-party code

While first-party code makes up the vast majority of overall security debt, most critical security debt comes from third-party code. It's crucial for organizations to consider testing and remediation efforts for both first-party and third-party code throughout the software development life cycle (SDLC).  

For this reason, Veracode just announced a unified Integrated Development Environment (IDE) Plugin, combining Static Analysis (SAST) – for first party code – and Software Composition Analysis (SCA) – for third-party code. We’re making it easy for developers to find and fix vulnerabilities in the code they write and the code they borrow without having to leave the environment where they work. 

The Staggering Impact of Flaw Remediation Speed 

The report highlights a positive trend: high-severity security flaws in applications have decreased by half since 2016. This indicates progress in software security practices, and for that we applaud our customers. So, what actions do the leaders take to achieve these results? 

Our analysis reinforced the importance of speed in flaw remediation. Development teams that address flaws promptly can reduce critical security debt by a remarkable 75%. By fixing vulnerabilities quickly, these teams build habits and muscle memory around fixing security flaws, significantly enhancing their security posture and reducing the prevalence of security debt in their applications.

Data showing impact of remediation speed on security debt accumulation

The Way Forward: Integration and Prioritization 

The State of Software Security 2024 report serves as a wake-up call for organizations to address their security debt head-on. Our analysis shows that not every organization is applying its finite remediation capacity in the most effective way. It’s crucial to allocate resources and sustain programs to eliminate critical security debt, ensuring maximum risk reduction. 

Say your application team allocates enough capacity to fix 3% of known security flaws per month. Given that limitation, you’d want to prioritize the flaws constituting critical security debt before, say, the non-critical security debt. For a team with higher capacity, you might choose to pursue the critical non-debt or non-critical debt next. Either way, it’s important to have a prioritization strategy so that developer time is used in the most impactful way. 

Data showing percentage of critical and non-critical security debt and non-debt

The Role of AI in Security Debt Reduction 

Imagine someone trying to scoop water out of a boat to keep it from sinking, but there’s water coming in more quickly than they can bail it out. That’s what we’re getting at with remediation trends in this report.  

While AI presents challenges to cybersecurity, it also presents a new frontier in addressing it. Veracode's AI-driven remediation tool, Veracode Fix, can address many Common Weakness Enumeration (CWE) categories with severity ratings ranging from medium to very high. This innovative approach, leveraging a curated set of reference patches from our security research team, enables organizations to proactively reduce security debt and strengthen their software security posture. 

Diving Deeper into the State of Software Security 2024 

The State of Software Security 2024 report provides valuable insights into the challenges posed by security debt and offers actionable recommendations for organizations. It’s a call to action for businesses to prioritize flaw remediation, focus on third-party code security, and adopt efficient development practices. Together, we can tackle the rising tide of security debt and build a more secure digital future. 

To access the full State of Software Security 2024 report and gain deeper insights into the findings and recommendations, you can download your free copy here. Let us join forces to address security debt and enhance the overall state of software security across the board. 


1. Source: https://arxiv.org/abs/2108.09293; Source: https://arxiv.org/pdf/2310.02059.pdf; Source: https://arxiv.org/pdf/2211.03622.pdf

Related Posts

By Chris Eng

Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security, as well as advising on product strategy and M&A. Chris is a frequent speaker at industry conferences and serves on the review board for Black Hat USA. He is also a charter member of MITRE's CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.