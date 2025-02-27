Software security flaws are taking longer to fix than ever, new research shows, with remediation times having grown by 47% in the last five years.

Statistics from Veracode’s 15th State of Software Security report show the average time it takes an organization to fix a vulnerability has risen from from 171 days in 2020 to 252 days today.

This marks a highly concerning increase, the study warned, and nearly triple what it took 15 years ago when the annual report was first issued.

"The attack surface has become increasingly complicated, particularly in the last couple of years with the explosion of AI engineering," said Chris Wysopal, chief security evangelist at Veracode.

Alongside that, half of organizations have "critical security debt", which are flaws left unpatched or without mitigation for longer than a year. Most of those, some 70%, come via third-party code or the software supply chain.

"Our investigations provide solid evidence that organizations can drive down debt, but many need help to prioritize which vulnerabilities to tackle first," said Wysopal.

However, there is good news according to Veracode. While the volume of flaws – and high severity flaws – remains high, the overall proportion of applications failing OWASP Top 10 and CWE Top 25 tests is “steadily declining”.

"Of particular note, the prevalence of high-severity flaws has been cut in half over the last decade," the study noted.

Mind the software security gap

The average figures mask the reality that some companies are in a much worse state than others with regard to software security, Veracode found.

When it comes to critical security debt, some organizations have almost none, while others are "drowning in it", the company said. Among top performing companies, fewer than 17% of applications have flaws lasting longer than a year, while struggling organisations have older flaws in 67% of their applications.

"The gap between the top 25% and bottom 25% of organizations is fascinating," Wysopal said.

"The results raise the question of which factors account for the marked differences in how organizations manage security debt and what teams can do to tackle it."

That security gap is echoed across other metrics, Veracode noted. Organizations with more mature security approaches, which Veracode deem to be "leading", have flaws in fewer than 43% of applications, while "lagging" companies have flaws in 86% or more of applications.

The same is true for the rate of fixing flaws, Veracode noted. Leaders resolve 10% of flaws monthly, and half within five weeks, while lagging companies resolve fewer than 1% of flaws monthly and take longer than a year to fix half of spotted vulnerabilities.

Previous research by Veracode revealed that security debt was particularly challenging for the public sector, with six-in-ten applications containing unpatched flaws for more than a year, versus 42% across the private sector.

Alongside the private sector, industries including finance, healthcare, and IT were found the most likely to have serious flaws left unaddressed, according to research from Black Duck .

Software security flaws cost billions each year

Software security flaws have become a major issue for developers in recent years, alternative research shows, and it's pushing many teams to breaking point.

In IDC report on behalf of software firm JFrog found that half of developers spend 19% of their weekly hours on security-related tasks, and this is often outside normal working hours.

All told, identifying and remediating software security flaws is costing these firms a fortune, with IDC estimating organizations spend around $28,000 per developer each year on remediation.