Software security debt piles up for organizations even as critical flaws drop

Overall, 80% of all active applications were detected to have unresolved flaws using Veracode’s SAST, DAST, and SCA scans, while this was 73% for SAST-only scans which consider issues specifically in the development phase of the applications.

Flaws detected in third-party, open-source components were on par with those detected in first-party codes. In fact, 63.4% of applications had flaws in first-party codes, while 70.2% of applications had flaws in the third-party code. This, the research noted, has to do with the wider AI adoption and necessitates deep scanning of both sources in the software supply chain.

Additionally, it was found that, on average, a typical application has 42 flaws for every 1 MB of code. Cross-site scripting, injection, path traversal, and vulnerable and outdated components were found to be the top flaws in applications with high intensity (average findings per application) and volume (percent of applications).

Security dept piles on

Software security debt, defined in the research as any flaw that persisted unremediated for over a year, was found in 42% of all applications. This number drops to 23% if applications less than one-year-old are added to the mix, meaning 57% of applications are with flaws but no debt.

The picture is a little different when critical security debt (unremediated critical flaws) is taken into account. “A large majority of organizations (71%) have security debt at some level,” according to the research. “And close to half of all firms (46%) have high-severity persistent flaws that we’ll classify as critical security debt.”

A quarter of organizations with security debt have security debt in less than 17% of applications, with a quarter of them having debt in more than 67% of applications, the research noted. On average, almost half of all the flaws (47%) an organization has can be attributed to security debt.