Veracode’s 2024 Software Security State of the Industry Report

Keypoints

• Cybersecurity vendor reports, such as Veracode’s 2024 release, typically include sections on key findings, the current state of software security, flaw prevalence, remediation timelines, security debt analysis, and supply chain security, providing a comprehensive overview of the threat landscape.
• These reports commonly present statistical data indicating that approximately 80% of applications contain unresolved security flaws, with a notable decrease in high-severity flaws—from peak levels in 2016 to just half now—signaling improvement over time.
• Trending insights reveal that flaws in third-party code take 50% longer to fix than in first-party code, often resulting in security debt, which, if unresolved beyond a year, impacts nearly 42% of applications and 71% of organizations.
• A recurring theme is that security flaws are pervasive across all major programming languages and application types, with legacy and large applications showing higher vulnerability and debt accumulation, especially in monolithic architectures.
• Recent key statistics emphasize that nearly two-thirds of security debt resides in first-party code, though critical security debt—high-severity flaws that remain unresolved—mainly persists in third-party libraries, accentuating supply chain risks.
• These reports highlight the importance of continuous scanning paired with prompt remediation, developer education, and scrutinizing open-source dependencies to effectively manage and reduce security debt in the evolving cyber threat landscape.