State of Software Security, Vol. 9

Business competitiveness now hinges on the speed and quality of software delivery, yet application security often struggles to keep pace. Volume 9 of the State of Software Security (SOSS) plumbs the depths of Veracode’s data lake—representing 2 trillion lines of code—to understand exactly how quickly organizations fix flaws once they are identified. The report moves beyond simple benchmarks to reveal the factors that either accelerate or stall the remediation process.

The research highlights a troubling “half-life” for security flaws: one week after discovery, only 15% are closed, and nearly 55% remain open three months later. This creates a persistence problem where risk lingers long after detection. This report rewards the click by providing clear evidence that organizational behavior, specifically scanning frequency and a DevSecOps mentality, can cut these fix times by more than 11-fold.

Specific industries and technical variables also play a major role in fix velocity. Healthcare organizations currently lead the pack, reaching the 75%-closed milestone eight months faster than the average. This study serves as a roadmap for teams looking to move from a reactive “whack-a-mole” approach to a mature, data-driven security development lifecycle.

Key Findings

• Staggering Vulnerability Prevalence: 85% of all applications have at least one vulnerability, and 13% contain at least one flaw of critical severity.
• The Month-One Remediation Gap: More than 70% of all discovered flaws remain open 30 days after they are first reported to developers.
• Scan Frequency Multiplier: Flaws persist 3.5x longer in applications scanned only 1 to 3 times per year compared to those tested 7 to 12 times per year.
• DevSecOps “Unicorn” Performance: The most active DevSecOps programs fix software flaws more than 11.5x faster than the typical organization.
• Persistent Critical Weaknesses: SQL injection flaws remain present in 1-in-3 applications, while Cross-Site Scripting (XSS) is found in nearly 50%.
• Component Supply Chain Risk: Approximately 88% of Java applications and 92% of C++ applications contain at least one vulnerable third-party component.