"Security Debt" as the New Reality of Software Development

Veracode has released its report on the state of software security for 2026. The key takeaway: developers still can't fix vulnerabilities as fast as they're being discovered.

The study analyzed 1.6 million applications tested on the Veracode platform — from commercial software to open‑source projects.

Within this research, the company introduced the term "security debt", defined as the presence of known vulnerabilities in applications that remain unpatched for more than a year after discovery.

Key figures:

🔺 The share of organizations with "security debt" rose from 74% to 82%. 🔺 60% of organizations encountered critical security vulnerabilities in 2026 (up from 50% the previous year). 🔺 Overall vulnerability prevalence in software dropped to 78% (from 80% a year earlier). 🔺 The average time to remediate vulnerabilities decreased from 252 days to 243. 🔺 66% of long‑term critical vulnerabilities stem from dependencies and third‑party components (supply chain).

Veracode notes that developers can no longer keep up with fixing every discovered flaw. The company therefore urges a shift from a "fix‑everything" mindset to prioritizing the most critical and actively exploited weaknesses, assessed through more accurate metrics and tools.

This study once again highlights the growing challenges in software development. "Security debt" is no longer an exception — for most companies it has become a systemic condition. Notably, a large share of critical vulnerabilities originate from third‑party components. This means risks arise not only within development teams but across the entire software supply chain. Despite a slight reduction in remediation times, the total backlog of vulnerabilities continues to grow. For attackers, this provides a steady pool of known weaknesses to reuse. In essence, we're facing a structural issue: the volume of code and dependencies is expanding faster than teams' ability to secure it.

Read the full study in the original report by Veracode.