Veracode’s 2026 State of Software Security finds remediation capacity falling behind development velocity, with third-party components driving the longest-lived high-risk exposure.
Enterprise application portfolios are carrying record levels of long-standing risk, with 82% of organisations now affected by “security debt” (vulnerabilities left unresolved for more than a year), according to the newly published 2026 State of Software Security research from Veracode. (Veracode)
The most acute signal is the growth in critical security debt, which Veracode reports now affects 60% of organisations, alongside a 36% year-on-year rise in high-risk vulnerabilities (those classed as both severe and highly exploitable). (Veracode) In the accompanying announcement, Veracode frames the trend as a widening gap between software delivery speed and the practical ability to fix what teams are already finding. (Business Wire)
A backlog problem, not a zero-day problem
Veracode’s findings reinforce a persistent reality for defenders: the dominant risk in many environments is not novel exploitation, but the long tail of known weaknesses that remain open long after fixes are available. As vulnerabilities age, attacker “cost” decreases because public write-ups, detection bypass guidance, and proof-of-concept tooling become easier to source and operationalise.
This dynamic is reflected in government prioritisation guidance as well. CISA’s Known Exploited Vulnerabilities (KEV) Catalog exists specifically to help organisations focus on vulnerabilities with confirmed in-the-wild exploitation, rather than treating CVSS alone as a sufficient prioritisation model. (cisa.gov)
Third-party components are the debt engine
A key datapoint in Veracode’s release is the concentration of the most persistent high-risk exposure in dependencies: third-party libraries and open-source components account for 66% of the most dangerous, longest-lived vulnerabilities in the dataset. (Business Wire)
That aligns with widely adopted AppSec guidance that continues to flag outdated components as a core web application risk category, reflecting the structural difficulty of inventorying, upgrading and validating dependency chains at scale. (owasp.org)
Why this keeps happening
Across large engineering organisations, security debt tends to compound for predictable reasons:
- Release velocity outpaces remediation: backlog growth becomes systemic when teams are measured on delivery, not closure.
- Dependency friction: upgrades introduce compatibility and regression risk, especially in legacy estates without strong CI test coverage.
- Ownership gaps: third-party risk blurs accountability between platform teams, product teams and procurement.
- Signal overload: when everything is flagged as urgent, prioritisation collapses and remediation becomes opportunistic.
Veracode’s recommended response is a shift from “fix everything” to a strategy-driven model of “Prioritise, Protect, Prove”, emphasising exploitability-driven triage, pipeline controls, and auditable evidence of risk reduction. (Veracode)
Practical actions security leaders can take now
Based on Veracode’s findings and common failure modes seen in vulnerability programmes, the fastest improvements tend to come from tightening prioritisation and governance rather than adding more scanners:
- Prioritise by exploitability and exposure, not CVSS alone
Use KEV-style thinking: internet-facing assets, reachable code paths, exploit maturity, and vulnerability age should drive the queue. (cisa.gov) - Set and enforce remediation SLAs for critical debt
Treat “older than one year” severe findings as an executive risk metric, not a technical statistic. - Harden the software supply chain
Maintain an accurate dependency inventory, remove unused packages, and standardise approved libraries to reduce upgrade fragmentation. Veracode’s component-risk finding suggests this is where the biggest “debt interest” accrues. (Business Wire) - Move controls left and add guardrails
Add build gates for the highest-risk classes of flaws, and automate developer-facing remediation workflows so fixes are cheaper and faster to apply. (Veracode)
Further reading
- Veracode’s 2026 State of Software Security report landing page
- Veracode announcement: “Four out of five organisations are drowning in security debt”
- CISA Known Exploited Vulnerabilities (KEV) Catalog
- OWASP Top 10 (A06: Vulnerable and Outdated Components)