State of Software Security, Vol. 11

“Every company is a software company,” and the challenges of secure development have never been more pervasive. For the 11th edition of SOSS, we analyzed the full history of 130,000 active applications to understand the untold stories of remediation. This report introduces the concept of “nature vs. nurture,” distinguishing between the factors developers inherit (app size, age, debt) and the proactive actions they control (scanning frequency, API usage).

The analysis confirms that the “nature” of an application provides a significant head start or handicap. Large applications with high flaw density—the markers of security debt—typically remediate flaws two months slower than average. This report rewards the click by proving that proactive “nurture” can overcome these handicaps; frequent scanning and the use of multiple scan types (DAST + SAST) can accelerate fix times by nearly a month.

Ultimately, software security is about making specific decisions that improve outcomes regardless of the environment. While most applications (76%) have flaws, only 24% have high-severity ones, suggesting that defenders are successfully prioritizing the most dangerous issues. This study serves as a guide for development teams to transition from “saving flaws for later” to a mature, continuous remediation model.

Key Findings

• Remediation Speed Divide: 50% of closed flaws are addressed within 86 days, yet 50% of open findings have been lingering for 216 days and counting.
• The Power of “Nurture”: Combining DAST with SAST scanning reduces the remediation half-life by 24.5 days.
• Security Debt Handicap: Higher flaw density (security debt) results in a remediation pace that is 63 days slower than the average.
• API Automation Benefit: Integrating SAST through an API correlates with flaws being fixed 17.5 days faster than manual scanning models.
• The “Barbell” Effect: JavaScript and Python applications tend to be either almost entirely homegrown or composed almost entirely of third-party code.
• Regional Resolution: Organizations in APAC fix high-severity flaws at a 91% rate, significantly outperforming EMEAR (85%) and the Americas (82%).