Half of SMEs Stuck in Critical Security Debt

Veracode’s 2024 Software‑Security Report – A Reality Check

Veracode, the world’s go‑to guru for intelligent software security, just dropped its latest State of Software Security (SoSS) 2024 report. The big headline? The problem of security debt is still boiling over.

What’s Security Debt Anyway?

For this report it’s a fancy name for bugs that’re still hanging around more than a year. Picture this: 42 % of apps in the market have such “stale” flaws, and a whopping 71 % of firms see them.

Critical Gaps – And Why You Should Care

High‑severity bugs that stalk 46 % of companies aren’t just a tick‑mark—they’re a real risk to confidentiality, integrity, and availability.
Even more troubling, half of known flaws linger for 11 months when they’re from third‑party code, while first‑party fixes average just 7 months.
Alright, this means third‑party code is slower to heal. Roughly 70 % of apps have bugs in these external libraries, and 63 % in their own code.

The Silver Lining

Hold on—there’s a heartening trend. High‑severity bugs have halved in magnitude since 2016. That’s a win for the industry, showing that faster fixes actually carry big benefits.

Speed Wins the Day

Teams that ramp up remediation speed kill critical debt by an impressive 75 %. They’re down from 22.4 % of apps burdened with debt to just over 5 %—and they’re four times less likely to let critical debt build to begin with.

Chris Eng Got the Message

“While we’re definitely seeing progress in the security arena, this is the wake‑up call everyone needs,” said Chris Eng, Chief Research Officer at Veracode. “If you want to slash security debt, start by tackling high‐severity flaws head‑on, give extra love to third‑party code, and adopt slick development practices. That’s how you’ll elevate the overall state of software security.”

Bottom line: Get your code clean fast, keep an eye on external libraries, and watch the security debt evaporate. It’s not just about shipping software—it’s about shipping safe software.

Addressing AI and the software supply chain

AI‑Powered Development: A Hidden Danger?

Think GitHub CoPilot is a bug‑free turbo‑charger? You’re not alone—many engineers have been dazzled by its speed and ease. But the bright side comes with a darker shadow: a significant portion of the code it churns out actually contains security flaws.

Key Takeaways

Research shows that 36 % of code produced by CoPilot has at least one security issue.
These vulnerabilities can pile up, creating a growing “security debt” that organisations struggle to pay back.
When the code supply chain is tapped for quick fixes, the risk spreads far beyond a single project.

Why It Matters

Fast, AI‑driven development can be a double‑edged sword. While it speeds up the process, it also risks slipping in insecure snippets that stay unnoticed. Over time, these flaws can accumulate, compromising applications, data, and user trust.

What You Can Do

1⃣ Regularly review AI‑generated code for security.
2⃣ Integrate automated security scans into your CI/CD pipeline.
3⃣ Keep your team’s security expertise sharp—because no machine remembers every best practice.

In short, treat AI tools like a helpful sidekick, not a silver bullet. Bright ideas need a guard rail of human oversight to keep those code‑base cliffs from becoming a landslide.

Risk prioritisation is key

How Well Are App Teams Keeping Their Tickets In Check?

Veracode’s latest scuttlebutt shows a sad truth: only 64% of apps can actually pull a leg‑shaking fix sprint that wipes out the scary, critical security debt. In plain talk, the majority of teams are stuck with a toolbox that’s simply too light.

Fix‑Rate Fails

Even when a team has the muscle to tackle the problem, its fix rate rarely hits the mark:

Just 2 out of 10 apps tackle more than a tiny slice—10%—of all flaws every month.
This one‑in‑five threshold shows they’re often giving a satchel full of low‑priority issues a slap higher than the critical ones that could actually break them.

A Silver Lining Among the Red Flags

But hey, there’s that bright spot: only 3% of the total flaws are critical. That tiny slice is the biggest risk iceberg lurking under the surface of your applications. Focused guts on these 3% can be a rock‑hard way to slash risk fast and smart.

Enter the AI Power‑Ups

Chris wrapped it up with a hopeful shout: “Artificial Intelligence isn’t just a buzzword—it’s a software security super‑hero. It lets us not only calm the older, buried treasure chest of security debt but also swoop in on fresh bugs that pop up.”

He added that the bulk of the Common Weakness Enumeration (CWE) range—salvaged from medium to very high severity—can be defused with AI‑composed code edits from the Veracode Fix tool.