Organizations Struggle with Rising Software Security Debt, New Report Reveals

A recent report highlights a growing crisis in software security, with approximately 82% of organizations grappling with significant software security debt. According to findings from Veracode’s 2026 State of Software Security Report, this marks an 11% increase from the previous year. Alarmingly, 60% of those organizations classify their security debt as “critical,” meaning that uncovered vulnerabilities could lead to catastrophic consequences if exploited.

The report indicates that the backlog of unresolved vulnerabilities is expanding at a pace quicker than organizations can address. This issue is compounded by a staggering 36% increase in high-risk vulnerabilities, defined as severe and easily exploitable flaws. As Chris Wysopal, Chief Security Evangelist at Veracode, stated, “The speed of software development has skyrocketed, meaning the pace of flaw creation is outstripping the current capacity for remediation.”

The Complexity of Modern Software Development

Organizations are uncovering more vulnerabilities as their testing programs advance and mature. Despite these efforts, the rapid release cycle of software leads to a continuous influx of new code, often before existing vulnerabilities can be resolved.

Furthermore, the incorporation of AI-generated code and the reliance on third-party libraries complicate the remediation process. Veracode’s research found that third-party libraries and open-source dependencies are responsible for 66% of the most dangerous and long-standing vulnerabilities. The increasing complexity of software development, particularly with AI, introduces new patterns of high-risk vulnerabilities, exacerbating the existing challenges.

Wysopal emphasized the need for organizations to adapt their strategies in light of these challenges. “Now that AI has taken software development velocity to an unprecedented level, enterprises must ensure they’re making deliberate, intelligent choices to stem the tide of flaws and minimize their risk,” he noted.

Shifting Strategies to Combat Security Debt

The rise in vulnerabilities categorized as both “severe” and “highly exploitable” necessitates a shift in how organizations prioritize security. Veracode advocates moving beyond generic severity scoring to a more nuanced approach that focuses on the actual potential for real-world attacks. This involves transitioning from simple detection methods to a strategic framework of Prioritize, Protect, and Prove.

This approach allows organizations to concentrate on their most critical systems and applications, particularly those that manage sensitive data and core operational services. Wysopal articulated the urgency of this shift: “We are at an inflection point where running faster on the treadmill of vulnerability management is no longer a viable strategy. Success requires a deliberate shift.”

He further clarified the importance of focusing on the 11.3% of flaws that present real-world dangers. Organizations must protect their essential assets through automated remediation processes and demonstrate that their security measures meet modern compliance standards. “It is not about fixing everything; it is about managing security debt by minimizing its most consequential risks,” Wysopal concluded.

In light of these findings, organizations are urged to reassess their vulnerability management strategies and invest in more effective solutions to combat the growing burden of software security debt.