SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
269 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Moody legacy code wall crumbling with bugs and stressed engineers
#
Data Protection
#
DevOps
#
Application Security

Security debt surges as legacy vulnerabilities pile up

Thu, 26th Feb 2026
Author image
By Shannon Williams, News Editor

Veracode reports a rise in long-running software vulnerabilities, with more organisations carrying unresolved issues for more than a year and a growing share of the most serious flaws coming from third-party code.

Its 2026 State of Software Security report found that 82% of organisations now carry what it calls security debt, up from 74% a year earlier. It defines security debt as vulnerabilities that accumulate and remain unremediated over time.

Most of those organisations fall into what Veracode calls critical security debt. The report found that 60% are dealing with severe, exploitable flaws that have remained unresolved for more than a year, up 20% year on year.

Backlog pressure

The findings point to a widening gap between the pace of software development and teams' ability to fix weaknesses. Detection has improved, but remediation capacity has not kept up, leaving many organisations with ageing vulnerabilities in production systems.

Nearly half of applications in the dataset (49%) contained vulnerabilities that were at least a year old. The analysis covered 1.6 million applications and 141 million findings across enterprises, software suppliers, outsourcers and open-source projects worldwide.

The report also flagged growth in the most dangerous vulnerabilities-those that are both highly severe and highly exploitable-up 36% year on year.

Third-party risk

Third-party components were a major source of long-lived risk. Veracode found that 66% of critical security debt originates in third-party code, including open-source dependencies and libraries.

It described this concentration as an ongoing software supply chain challenge. Many development teams rely heavily on external components, which can introduce vulnerabilities that are difficult to track across applications and release cycles.

The dataset includes results from multiple testing methods, including static analysis, dynamic analysis, software composition analysis and manual penetration testing conducted through Veracode's cloud-based platform.

AI and velocity

Veracode linked the results to faster release cycles and higher development throughput. It also pointed to AI's role in software creation, saying it is influencing both the volume and pattern of vulnerabilities appearing in codebases.

"The speed of software development has skyrocketed, meaning the pace of flaw creation is outstripping the current capacity for remediation," said Chris Wysopal, chief security evangelist at Veracode.

"Despite marginal gains in fix rates, security debt is becoming a much larger issue for many organizations. Now that AI has taken software development velocity to an unprecedented level, enterprises must ensure they're making deliberate, intelligent choices to stem the tide of flaws and minimize their risk," Wysopal said.

The report also noted that some organisations are finding fewer flaws and improving detection, but still struggle to close issues quickly enough to reduce exposure. It said gains in tools and processes for discovery have not been matched by comparable progress in remediation.

Prioritisation focus

Veracode recommended a strategy it calls "Protect, Prioritize, and Prove." It urged organisations to focus on systems and applications that hold sensitive data, deliver core services or affect broader operations, rather than treating all vulnerabilities equally.

It also argued for prioritisation methods based on real-world exploitability, not only generic severity scoring. The rise in highly severe and exploitable flaws, it said, makes decisions about what to fix first more important.

Veracode said teams should prioritise "the 11.3 percent of flaws that pose real-world danger," alongside automated remediation for critical assets and measurement against compliance requirements.

"We are at an inflection point where running faster on the treadmill of vulnerability management is no longer a viable strategy," said Chris Wysopal, chief security evangelist at Veracode.

"Success requires a deliberate shift. Teams must prioritize the 11.3 percent of flaws that pose real-world danger, protect their critical assets through automated remediation, and prove that their security posture meets the rigorous demands of modern compliance. It is not about fixing everything; it is about managing security debt by minimizing its most consequential risks," Wysopal said.

Related stories
Preserving our voice: Why women must shape the future of AI and cybersecurity
Bridging the gap: Cybersecurity breakthroughs and imbalances
In a cost-pressured AI race, operational maturity is now the competitive advantage
UK AI budgets shift to data infrastructure & storage
Teramind launches AI governance to tackle shadow AI

Top stories

Safe AI needs all voices: Celebrating the women who help drive CSA's AI safety initiative
Autonomous AI 'agentic customers' set to reshape banks
Reversec names Åse Holmberg Zetterlund as Chief Executive
How women in cyber change the conversation at board level
The weight women carry