State of Software Security, Vol. 10

Marking a decade of research, SOSS Volume 10 provides a unique “Then vs. Now” comparison of the application security landscape. While awareness has grown leaps and bounds, the core problem identified 10 years ago remains: most software is still very insecure. This milestone report focuses on the emerging crisis of “security debt”—the accumulation of aging, unresolved flaws that act as a permanent weight on application resilience.

A surprising finding of this decade-long review is that the “typical” (median) time to fix a flaw has remained stuck at 59 days since Volume 1. While most fixes happen quickly, a growing “long tail” of unresolved findings is inflating the average time to remediation. This report rewards the click by quantifying how different languages and scan cadences either contribute to or alleviate this debt, providing developers with a survival guide for the modern codebase.

Habit-building emerges as the primary differentiator for leading programs. Organizations that have transitioned to a continuous, daily scanning model see a 72% reduction in their median time to remediate. This research proves that the ability to consistently pay down security debt—addressing new findings while chipping away at the old—is what separates high-performing development teams from those being buried by technical risk.

Key Findings

• 50-Fold Sample Growth: The SOSS dataset has expanded from 1,591 applications in Volume 1 to over 85,000 applications in Volume 10.
• Static Median Fix Times: The typical time to remediate flaws remains unchanged at 59 days over the last decade, indicating a stalemate in general fix speed.
• Daily Scanning Efficacy: Applications scanned 260+ times per year (averaging daily) reduce Median TTR to just 19 days—a 72% improvement over infrequent scanners.
• The “Recency Bias” Trap: A flaw has a 22% chance of being fixed in its first month, but that likelihood drops to a mere 3-5% once it is more than eight months old.
• Language-Specific Debt: C++ applications carry security debt that is 3x to 5x larger than .NET applications over a sample period.
• Fix Capacity Divide: 30% of applications are losing ground, discovering flaws faster than they can fix them and thus increasing their total security debt.