Veracode’s latest State of Software Security report, based on analysis of more than 1.6 million applications, highlights a critical trend: software vulnerabilities are accumulating faster than organizations can remediate them. In an era of accelerated development and widespread use of AI tools, achieving robust application security is becoming increasingly difficult.
Security Debt: When Known Vulnerabilities Remain Unfixed
A central concept in the report is security debt—known vulnerabilities that stay unresolved for more than 12 months. This is essentially a form of technical debt focused on cybersecurity: a backlog of risk that organizations either consciously accept or lack the capacity to address.
According to Veracode, 82% of organizations now carry measurable security debt, up from 74% the previous year. The risk profile of that debt is worsening: the share of serious flaws with a high likelihood of exploitation increased from 8.3% to 11.3%. In practice, this means production environments are more likely to contain precisely the kinds of weaknesses attackers prefer to target.
The findings are drawn from a combination of static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA) and manual penetration testing. This multi-layered approach surfaces not only flaws in proprietary code, but also weaknesses introduced via third‑party libraries and frameworks—now a dominant part of most modern applications.
Positive Trend: Fewer Vulnerable Open-Source Components
Despite the growth in security debt, Veracode also identifies encouraging signs. The share of applications containing vulnerabilities in open-source components dropped from 70% to 62%, and overall defect prevalence fell from 80% to 78%.
This shift suggests organizations are improving software supply chain security: updating dependencies more proactively, deploying Software Composition Analysis (SCA) tools, and tracking known issues in third‑party components using sources such as CVE and NVD. It also reflects the maturation of DevSecOps practices, where automated security checks are embedded into CI/CD pipelines rather than bolted on at the end.
More Vulnerabilities Found: Better Testing or More Noise?
The report notes that the growing number of identified issues is partly driven by broader adoption of security testing tools. Code, infrastructure and dependencies are being scanned more frequently and more deeply, revealing vulnerabilities that previously went unnoticed.
However, Veracode highlights a significant caveat: the true rate of false positives remains unclear. Some of the apparent surge in vulnerabilities may be an artifact of noisy tools rather than a genuine decline in code quality. This uncertainty has operational consequences—development and security teams can become overwhelmed, spending substantial time triaging non‑actionable findings instead of addressing real risk.
AI, Release Velocity and Growing Architectural Complexity
Development Speed Outpaces Vulnerability Remediation
Another critical trend identified in the report is the acceleration of release cycles. Features are shipped more frequently, codebases change more rapidly, and deployment pipelines grow more automated. Under these conditions, teams often fail to keep pace with remediation, especially for issues initially categorized as “non‑critical”.
The result is a persistent speed gap: code is written, merged and released faster than vulnerabilities can be analyzed, prioritized and fixed. Over time, this creates a swelling vulnerability backlog that hardens into structural security debt, increasing both the likelihood and potential impact of security incidents.
AI-Generated Code as a Risk Multiplier
Veracode pays particular attention to the rapid growth of AI-generated code. AI-powered coding assistants enable developers to produce more code in less time, but they also increase architectural complexity and can introduce insecure patterns at scale if not carefully governed.
As systems become more complex and interconnected, identifying and fixing vulnerabilities becomes significantly harder. The report stresses that human oversight of AI tools is essential. In practice, however, security is often deprioritized in favor of speed, or implicitly delegated to the AI itself. At the same time, AI-based security tools can generate large volumes of ambiguous alerts, further contributing to “alert fatigue” and decision overload for reviewers.
From Reactive Patching to Strategic Risk Management
Veracode concludes that the current pace of development, amplified by AI, makes comprehensive security unattainable with existing approaches. The remediation backlog has reached what the report describes as a “crisis level”, and incremental tweaks are unlikely to be sufficient. Several strategic shifts emerge as necessary:
1. Adopt a risk-based vulnerability management model. Organizations should prioritize issues based on business impact, exploitability in real-world conditions and the criticality of affected systems—not only on technical severity scores. Integrating threat intelligence, exploit likelihood models and asset context can help focus scarce remediation resources where they materially reduce risk.
2. Embed security into the software development lifecycle (SDLC). Security reviews for key features, combined use of SAST, DAST and SCA, secure coding training for developers, and clear SLAs for remediation times by severity level are now baseline expectations. Continuous testing within CI/CD, including for infrastructure-as-code and cloud configurations, reduces the chance that vulnerabilities linger in production for months or years.
3. Implement human-in-the-loop governance for AI tools. AI should act as an accelerator, not an autonomous decision-maker. Security recommendations from AI systems require expert validation, and detection thresholds and policies must be regularly tuned. Documented guardrails for AI-generated code, code review standards and mandatory security checks are essential to prevent AI from amplifying insecure practices.
For organizations that rely on complex software ecosystems, Veracode’s State of Software Security report is a clear signal to reassess strategy. Simply adding more scanners or more AI tools will not resolve the underlying issue if processes, prioritization and culture remain unchanged. Systematically measuring and managing security debt—with executive support, clear ownership and risk-based decision-making—significantly reduces the probability that long‑standing vulnerabilities will escalate into costly security incidents and lasting reputational damage.
