Introduction
In recent years, the time required to address software security vulnerabilities has significantly increased, posing substantial risks to organizations. This trend is primarily driven by the growing dependence on third-party code and the software supply chain, which has introduced various security challenges.
Description
The average time to fix software security vulnerabilities has now reached 252 days [2] [5], a significant increase from 171 days over the past five years and a staggering 327% rise since the first report 15 years ago. This trend is largely attributed to a growing reliance on third-party code and the software supply chain, which has left organizations vulnerable to various risks [3], including reputational [4], financial [1] [4], and operational harm [1] [4]. Currently, 50% of organizations are grappling with critical security debt [1] [3] [4], defined as unresolved high-severity vulnerabilities that have remained unaddressed for over a year [2], with most of this debt originating from third-party code [2]. Additionally, 74.2% of organizations report having some form of security debt [2], encompassing lower severity flaws [2].
There is a notable disparity in remediation capabilities among organizations; the top 25% can resolve more than 10% of their software flaws monthly, with high-performing organizations able to remediate half of their flaws within five weeks [1] [3] [4]. In contrast [2], the bottom 25% manage to fix less than 1% of their flaws and may take over a year to address half of the identified vulnerabilities. A framework is available for organizations to assess their security maturity [4], helping them identify factors contributing to security debt and benchmark their performance against peers [4]. The analysis encompassed 1.3 million unique applications [2], revealing a total of 126.4 million raw findings, with the top performers maintaining security debt in less than 17% of their applications [2], compared to over 67% for the bottom performers [2]. Recommendations from experts and leading organizations are provided to assist in improving security practices [4].
Conclusion
The increasing time to remediate software vulnerabilities underscores the urgent need for organizations to enhance their security practices. By adopting robust frameworks and leveraging expert recommendations, organizations can mitigate the risks associated with security debt. As the reliance on third-party code continues to grow, it is imperative for organizations to proactively manage their security posture to safeguard against potential threats and ensure long-term resilience.
References
[1] https://vmblog.com/archive/2025/02/27/veracode-reveals-half-of-organizations-burdened-by-critical-security-debt-with-70-stemming-from-third-party-code-and-the-software-supply-chain.aspx
[2] https://www.infosecurity-magazine.com/news/software-vulnerabilities-nine/
[3] https://www.veracode.com/press-release/veracode-reveals-half-of-organizations-burdened-by-critical-security-debt/
[4] https://www.afp.com/ar/node/3771507
[5] https://www.itpro.com/software/software-security-flaws-remediation
