2024 State of Software Security

Security debt is no longer a localized problem; it is an endemic condition affecting the majority of the software landscape. This 14th edition of the State of Software Security deep-dives into Veracode’s 18 years of historical data to define and measure “security debt”—flaws that remain unremediated for longer than one year. The report rewards the click by moving beyond simple flaw counts to analyze how this debt accumulates across industries, languages, and the modern software supply chain.

The research highlights a significant divergence in remediation capacity, proving that for many teams, the rate of new flaw creation is decisively outstripping the ability to fix them. While high-severity flaws have dropped to half of 2016 levels, the persistence of “critical debt” in third-party libraries poses a unique challenge. Because developers often prioritize their own code, third-party flaws take 50% longer to fix, creating a massive, long-lived attack surface that requires a distinct management strategy.

Ultimately, the report serves as a data-backed roadmap for debt elimination. It demonstrates that developer education and programmatic interventions, such as Security Labs, can reduce the prevalence of debt by 11% and accelerate fix times by several months. By focusing remediation effort on the 3% of flaws that constitute the riskiest debt, organizations can begin to reverse the tide and achieve a more sustainable security posture.

Key Findings

• 42% Application Indebtedness: Approximately 42% of all active applications carry security debt, defined as flaws that have remained open for longer than 365 days.
• 71% Organizational Prevalence: A staggering 70.8% of all organizations analyzed have security debt in their portfolio, and nearly half (46%) carry critical security debt.
• Third-Party Fix Delay: Flaws in third-party code take 50% longer to remediate than first-party code, with a half-life of 11 months compared to just 7 months for internal code.
• Supply Chain Risk Concentration: While 90% of total debt exists in first-party code, third-party code accounts for two-thirds of the debt rated as “critical” severity.
• Remediation Capacity Ceiling: Only 11% of applications demonstrate a sustained remediation capacity sufficient to eliminate all of their critical security flaws.
• The “3% Solution”: Prioritizing just 3% of flaws—those classified as critical security debt—represents the most efficient path to maximizing risk reduction for resource-constrained teams.