2025 State of Software Security

Realizing progress in software security requires a risk-based perspective that moves beyond traditional patching to focus on exploitable feedback loops. This 15th volume of the State of Software Security (SoSS) analyzes 1.3 million applications to establish a new benchmark for AppSec maturity. While regulatory shifts like the U.S. Secure by Design initiative have improved OWASP Top 10 pass rates, security debt remains a persistent burden for nearly three-quarters of organizations.

The data reveals a stark divergence between leading and lagging organizations. Top performers manage to fix half of their flaws in just five weeks, while the bottom 25% take over a year to reach the same milestone. This remediation gap is often fueled by the volume of new flaws introduced during the development process, which is currently being transformed by the “signs” of AI-assisted code generation.

Third-party code and the software supply chain are the primary engines of critical debt. While first-party flaws are fixed in a median of 8 months, third-party flaws stretch that half-life to 12 months. The report rewards the reader with evidence that developer training is an effective countermeasure, with teams using Security Labs achieving flaw half-lives 7.5 months shorter than those without training.

Key Findings

• 181% High-Severity Surge: The percentage of applications containing high-severity flaws has increased by 181% since 2020 when accounting for all scan types (SAST, DAST, and SCA).
• The 82% Debt Barrier: 82% of organizations currently carry security debt (flaws >1 year old), representing an 11% increase in prevalence in just one year.
• Supply Chain Debt Dominance: 70% of all critical security debt (high severity and high exploitability) originates from third-party code and the software supply chain.
• Training Efficiency Gain: Teams that utilize interactive security training see flaw half-lives of 5 months, compared to 12.6 months for untrained teams.
• 47% Fix Slowdown: The average number of days required to fix a software flaw has increased by 47% over the last five years.
• Critical Risk Ratio: Only a small minority of flaws (8.4%) rank high for both severity and exploitability, providing a clear focal point for resource-strained teams.