- Unlock the AI Skills to Transform Your Data Center
- Most US workers don't use AI at work yet. This study suggests a reason why
- OpenAI finally unveils GPT-4.5. Here's what it can do
- This $100 Android phone reminded me of my Pixel 9 Pro in the best way
- Are Your VM Scans Testing the Entirety of the Network?
Software Vulnerabilities Take Almost Nine Months to Patch
The average fix time for software security vulnerabilities has risen to eight and a half months, a 47% increase over the past five years, according to Veracode’s latest State of Software Security (SoSS) report.
The average fix time is also 327% higher compared to 15 years ago, largely as a result of increased reliance on third-party code and use of AI generated code.
Half (50%) of all organizations have critical security debt – defined as accumulated high severity vulnerabilities left open for longer than a year.
Over two-thirds (70%) of this critical security debt comes from third-party code and the software supply chain.
Around three-quarters (74.2%) of all organizations have some security debt, including lower severity flaws.
Chris Wysopal, Chief Security Evangelist at Veracode, commented: “The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering. Last year’s report found 46% of organizations had high-severity security debt. While the year-on-year increase may seem marginal, it is going in the wrong direction.”
The analysis also found significant variations between different organizations’ maturity levels in finding and fixing software flaws.
The top 25% were able to fix more than 10% of their software flaws monthly, while the bottom 25% fixed less than 1% of vulnerabilities monthly.
Additionally, the top 25% performing organizations have security debt in less than 17% of their apps, while for the bottom 25% there is security debt in over 67% of apps.
The researchers analyzed 1.3 million unique applications containing 126.4 million raw findings.
Over Half of Applications Contain Critical Vulnerabilities
The new report found that more than half (56%) of apps contain high severity security vulnerabilities, while 80.3% contain any flaws.
Around two-thirds (64%) of apps have flaws in first-party code, while 70% of apps have flaws in third-party code.
Encouragingly, the proportion of apps that do not contain any flaws within the OWASP Top 10 vulnerabilities list has risen by 63% in the past five years, from 32% of apps in 2020 to 52% in 2025.
There has also been a steady decline in apps containing flaws in the SANS Institute Top 25 Software errors list.
According to Veracode’s rating system, the prevalence of high severity flaws has been cut in half since 2016.
