Overview 10 Years of SOSS Key FindingsSecurity DebtDevSecOps EffectRead the Report

The 2019 Veracode State of Software Security represents the 10th version of the report. Much like the application security industry, the report has evolved over the past 10 years to focus more on fix trends than on finding security defects. Like previous reports, SOSS volume 10 provides insights into the most common types of vulnerabilities, practices that lead to improved fix rates, and industry performance. The report found that the majority of flaws are remediated (56%) and that companies scanning more often carry about 5X less security debt than the lightest scanners. Why? Because these teams have automated security testing, have made security activities habitual, ensure that security issues stay top of mind, and end up fixing more flaws – suggesting DevSecOps practices improve overall software security.

Read the report to gain valuable perspective on the state of software security today.

  • 1.4M

    scans analyzed for the report

  • 85,000

    applications scanned over 12 months

  • 83%

    of apps have one security flaw on initial scan

  • 2 in 3 apps

    fail to pass tests based on OWASP Top 10 and SANS 25

Soss X - State of Software Security Vol. 10 Key Findings

State of Software Security Vol. 10 Key Findings


The 10th volume of the State of Software Security report found that 83% of applications have at least one vulnerability upon first scan. The report also found that companies prioritize fixing newly discovered vulnerabilities, creating a long tail of security debt for vulnerabilities that aren’t fixed in a timely manner, and that companies that test more frequently have higher fix rates. Together, these findings underscore the need for security testing throughout the software development lifecycle.

For more of the top takeaways from this year’s report, check out the infographic.

Soss X - Security Debt

Security Debt


When companies test applications for vulnerabilities, they prioritize which security defects to fix based on a number of business objectives. While this is best practice, it can also create a backlog of vulnerabilities that are not fixed. Companies that create a dedicated process for addressing this security debt are most successful at lowering their security debt and thus their overall risk.

Watch the video to learn more about the current state of software security.

 Key Findings
Soss X - DevSecOps Effect

DevSecOps Effect


One way companies address security debt is through DevSecOps programs. The study found that companies tend to fix the most recently found vulnerabilities. More frequent scanning through a DevSecOps process allows companies to find security defects throughout the development lifecycle and results in more frequent fixing and lower security debt.

SOSS X - State of Software Security by Industry - Overview

State of Software Security by Industry


Veracode’s State of Software Security (SOSS) Volume 10 focused on the topic of security debt, defined as the amount of unaddressed flaws that accumulate in software over time. The report revealed about half of application teams added to their security debt, a little over a quarter paid it down, and a quarter maintained a steady balance. As you might suspect, our analysis showed that debt profiles differed substantially among industries. Below you’ll find industry infosheets that summarize the factors that shape the debt profile exhibited in the chart on the right.

  • Financials
  • Government and Education
  • Healthcare
  • Infrastructure
  • Manufacturing
  • Retail
  • Technology
    • Soss X - Advance Your Organization

    Advance Your Organization’s Application Security Program


    The speed at which organizations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organizations close vulnerabilities, the less risk software poses over time. But the sheer volume of open flaws within applications means that your development teams need to find effective ways to prioritize which flaws they fix first. Security debt can build up over time. We find that companies that combine integrating security into the development process with a dedicated program for addressing security debt are the most successful at reducing their overall risk.

    Veracode vulnerability remediation consulting can help your organization put together an efficient remediation plan to eliminate application vulnerabilities.