Business Wire

Veracode 2026 State of Software Security Report Reveals Four Out of Five Organizations Are Drowning in Security Debt

24.2.2026 13:50:00 CET | Business Wire | Press release

Share

High-Risk Vulnerabilities Spike 36% Year-Over-Year as Critical Security Debt Surges 20%, Signaling a Growing Crisis in Software Security

Veracode, the global leader in application risk management, today released its 2026 State of Software Security Report, revealing the widening gap between how fast organizations build software and how fast they can secure it. The report found 82 percent of organizations now harbor security debt—an 11 percent increase from the prior year—and that 60 percent of those organizations have security debt defined as “critical,” representing accumulated vulnerabilities severe enough to cause catastrophic damage to an organization if exploited. The report recommends adopting a “Protect, Prioritize, and Prove” strategy to meaningfully reduce risk in 2026 and beyond.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260224526703/en/

Fig. 1: Veracode State of Software Security Report 2025 vs 2026 YoY Change

Now in its 16th annual edition, Veracode’s flagship report analyzed 1.6 million unique applications spanning enterprises, commercial software suppliers, software outsourcers, and open-source projects worldwide.

The 2026 findings expose a fundamental mismatch between development velocity and remediation capacity. While detection capabilities have improved, the backlog of unresolved vulnerabilities is growing faster than teams can eliminate it. This trend is exacerbated by a 36 percent year-over-year spike in high-risk vulnerabilities, categorized as flaws that are both severe and highly exploitable.

“The speed of software development has skyrocketed, meaning the pace of flaw creation is outstripping the current capacity for remediation,” said Chris Wysopal, Chief Security Evangelist at Veracode. “Despite marginal gains in fix rates, security debt is becoming a much larger issue for many organizations. Now that AI has taken software development velocity to an unprecedented level, enterprises must ensure they’re making deliberate, intelligent choices to stem the tide of flaws and minimize their risk.”

Key Takeaways from the 2026 State of Software Security Report

This year’s study establishes the primary themes shaping software security maturity in a world where AI-driven development, expanding attack surfaces, and faster release cycles collide with remediation capacity.

  • Critical Security Debt Intensifies: The 20 percent year-over-year increase in critical security debt suggests the accumulation of risky vulnerabilities older than a year is outpacing remediation capacity, signaling an urgent need to rethink how backlogs are managed.
  • High-Risk Vulnerabilities Demand a New Kind of Prioritization: A 36 percent relative increase in flaws classed as both “severe” and “highly exploitable” demands an urgent shift from generic severity scoring to prioritization based on real-world attack potential.
  • Detection is Improving Modestly; Remediation is Not: While organizations are successfully finding fewer flaws and improving detection rates, the data reveals a persistent strain to fix them quickly enough to close the widening exposure window.
  • Open-source Components Carry Outsized Risk: Third-party libraries and open-source dependencies account for 66 percent of the most dangerous, longest-lived vulnerabilities—a reminder that third-party hygiene still has a long way to go despite signs of improvement.
  • The AI Impact: AI development is introducing new high-risk vulnerability patterns at scale, while AI-powered remediation is beginning to offer a credible path toward closing the gap.

Actionable Insights and Recommendations

To combat these risks, Veracode advocates a shift from simple detection toward a more strategic framework of Prioritize, Protect, and Prove. This approach enables organizations to prioritize their "crown jewels"—the most valuable systems and applications that hold sensitive data, deliver core services or impact overall operations.

“We are at an inflection point where running faster on the treadmill of vulnerability management is no longer a viable strategy,” Wysopal closed. “Success requires a deliberate shift. Teams must prioritize the 11.3 percent of flaws that pose real-world danger, protect their critical assets through automated remediation, and prove that their security posture meets the rigorous demands of modern compliance. It is not about fixing everything; it is about managing security debt by minimizing its most consequential risks.”

Veracode’s annual State of Software Security Report is one of the industry’s longest running and most comprehensive views of the application risk management landscape.

The full 2026 report is available on the Veracode website. Join the webinar on February 26 at 11am Eastern Time to hear from the authors of this year’s report and get an in-depth analysis of the key findings.

About the State of Software Security Report

The Veracode State of Software Security draws on analysis of applications tested through static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. This year’s dataset includes 1.6 million unique applications generating 141.3 million raw findings—115.6 million from static analysis, 22.1 million from software composition analysis, and 3.6 million from dynamic analysis. This data spans companies of all sizes, commercial software suppliers, software outsourcers, and open-source projects worldwide.

About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, Malicious Package Detection, Package Firewall, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and X.

Copyright © 2026 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands, or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260224526703/en/

Subscribe to releases from Business Wire

Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from Business Wire

Kioxia and Sandisk Begin Production of 10th-Generation 3D Flash Memory Products atKitakami Plant Fab23.7.2026 12:19:00 CEST | Press release

Companies Showcase Ongoing Buildout of Manufacturing Infrastructure at K2 to Address Growing Demand for NAND Flash Kioxia Corporation, a subsidiary of Kioxia Holdings Corporation (TOKYO: 285A) and Sandisk Corporation (Nasdaq: SNDK) today announced the start of production for their 10th-generation 3D Flash memory technology at Fab2 (K2) at the Kitakami Plant in Iwate Prefecture in Japan. The milestone comes as the companies continue to drive meaningful, multi-year bit growth to address the strong demand for their innovative flash memory technology. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260702296115/en/ Unveiling ceremony for the K2 facility In conjunction with the start of production, the companies held an unveiling ceremony for the K2 facility. Opening in September 2025, the facility has produced the companies’ 8th-generation 3D flash memory products and will begin to scale production with the introduction of their

VeriSilicon Introduces CPP2000 Camera Post-Processing IP for Embodied Robotics and Mobile Vision Applications3.7.2026 12:02:00 CEST | Press release

Enhancing image quality and visual perception for moving-camera systems VeriSilicon (688521.SH) today announced its high-performance CPP2000 Camera Post-Processing (CPP) IP, expanding the company’s Image Signal Processing (ISP) solutions with advanced post-processing capabilities. By improving image quality and visual perception in mobile imaging scenarios, CPP2000 enables more reliable vision performance in robotics, drones, and other mobile vision applications. CPP2000 integrates multiple image processing technologies and can further optimize YUV images output from image signal processors. The IP supports image and video processing at up to 8K resolution and offers multiple hardware configuration options to meet diverse requirements in Power, Performance, Area (PPA), and latency across different applications. CPP2000 leverages the combined operation of multiple image processing technologies, including motion-compensated temporal filtering, advanced spatial noise reduction, chroma adj

Messer Acquires Singapore-Based Industrial Gas Platform; Japan Corporate Advisory Institute Advises Sellers3.7.2026 11:11:00 CEST | Press release

Acquisition of WKS Group strengthens Messer’s Southeast Asia presence Messer, the world’s largest privately held specialist for industrial, medical, electronic and specialty gases, has acquired WKS Group, a Singapore-based industrial gas platform with operations across Singapore and southern Malaysia. Transaction terms were not disclosed. Messer reported consolidated sales of approximately EUR 4.5 billion for its 2025 financial year. Founded in Singapore in 1977, WKS Group comprises six companies and employs approximately 195 people across Singapore and southern Malaysia. The acquisition expands Messer’s operating footprint in Southeast Asia and strengthens its access to key industrial clusters across the region. “We are pleased to have completed this transaction with Messer, whose strategic vision makes them an excellent partner for WKS Group,” said Mr. Wong Koh Hoi, shareholder of WKS Group. “We appreciate JCAI’s professionalism and dedication throughout the process, and their expert

Access Advance Welcomes Meta Platforms, Inc. and Alibaba Group to the Video Distribution Patent Pool3.7.2026 01:00:00 CEST | Press release

Access Advance LLC today announced that Meta Platforms, Inc., one of the world's largest distributors of video content across its Facebook, Instagram, Threads, and WhatsApp services, has joined the Video Distribution Patent Pool (VDP Pool) as a Licensee. Meta also joined both the HEVC Advance and VVC Advance pools as a Licensee. Alibaba Group, whose video infrastructure spans a wide range of video-based services across e-commerce, entertainment, and digital media platforms, was also announced as a VDP Pool Licensee this week. Meta and Alibaba joining the VDP Pool further reinforces the program’s market leading position in resolving the licensing issues around the use of modern video codecs, including VP9, AV1, HEVC and VVC, across all the diverse business models of internet video streaming. "A significant U.S.-based company like Meta joining as a Licensee is a milestone moment for the content distribution business and the VDP Pool," said Peter Moller, CEO of Access Advance. "Meta reach

Kioxia Commences Sample Shipments of 10th-Generation BiCS FLASH™ Devices Delivering High Performance, High Capacity and Low Power Consumption3.7.2026 01:00:00 CEST | Press release

Production planned at Fab2 of Kitakami Plant Kioxia Corporation, a world leader in memory solutions, today announced that it has commenced sample shipments of 1Tb (terabit) Triple-Level-Cell (TLC) memory devices utilizing its 10th-generation BiCS FLASH™ 3D flash memory technology.1 These will be primarily integrated into the company’s enterprise and data center SSDs, strengthening Kioxia’s lineup to meet the growing demand for AI storage, which requires higher performance, higher capacity, and lower power consumption. These new products will be manufactured using state-of-the-art equipment at Kioxia’s Kitakami Plant Fab2 facility in Iwate Prefecture, Japan. By leveraging innovative CMOS directly Bonded to Array (CBA) technology2 and On-Pitch Select Gate Drain (OPS) technology,3 both adopted since the 8th-generation BiCS FLASH™, the 10th-generation technology achieves a NAND interface speed of 4.8 Gb/s,4 a 33% improvement over the 8th generation. Bit density has increased by 59% by stac

In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.

Visit our pressroom
World GlobeA line styled icon from Orion Icon Library.HiddenA line styled icon from Orion Icon Library.Eye