Enterprises still can't get a handle on software security debt – and it’s only going to get worse

Four-in-five organizations are drowning in software security debt, new research shows, and the backlog is only getting worse.

More than eight-in-ten (82%) of organizations told Veracode that they're now contending with cumbersome levels of security debt, marking an 11% increase compared to last year.

Of those, 60% have security debt defined as “critical”, representing accumulated vulnerabilities severe enough to cause catastrophic damage to an organization if exploited.

Findings from the company's 2026 State of Software Security Report show the backlog of unresolved vulnerabilities is growing faster than teams can eliminate it.

Moreover, the problem is only made worse by a 36% year-over-year spike in high-risk vulnerabilities, categorized as flaws that are both severe and highly exploitable.

"The speed of software development has skyrocketed, meaning the pace of flaw creation is outstripping the current capacity for remediation,” said Chris Wysopal, chief security evangelist at Veracode.

“Despite marginal gains in fix rates, security debt is becoming a much larger issue for many organizations."

Organizations are discovering more vulnerabilities as their testing programs mature and expand. Meanwhile, the accelerating pace of software releases creates a continuous stream of new code before existing vulnerabilities can be addressed.

Software security debt exacerbated by AI

Notably, Veracode found the growing technical complexity of applications, particularly those incorporating AI-generated code and extensive third-party dependencies, makes remediation more complex and resource-intensive.

Researchers said a 20% year-over-year increase in critical security debt suggests that the accumulation of risky vulnerabilities older than a year is outpacing remediation capacity - causing an urgent need to rethink how backlogs are managed.

Third-party libraries and open-source dependencies were behind 66% of the most dangerous, longest-lived vulnerabilities, the researchers said, while AI development is introducing new high-risk vulnerability patterns at scale.

"Now that AI has taken software development velocity to an unprecedented level, enterprises must ensure they’re making deliberate, intelligent choices to stem the tide of flaws and minimize their risk," said Wysopal.

The rise in flaws classed as both “severe” and “highly exploitable” means organizations need to shift from generic severity scoring to prioritization based on real-world attack potential, advised Veracode.

As such, researchers called for a shift from simple detection toward a more strategic framework of Prioritize, Protect, and Prove.

This approach enables organizations to prioritize their most valuable systems and applications, such as those holding sensitive data, delivering core services, or impacting overall operations.

“We are at an inflection point where running faster on the treadmill of vulnerability management is no longer a viable strategy. Success requires a deliberate shift,” said Wysopal.

"Teams must prioritize the 11.3% of flaws that pose real-world danger, protect their critical assets through automated remediation, and prove that their security posture meets the rigorous demands of modern compliance. It is not about fixing everything; it is about managing security debt by minimizing its most consequential risks.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.