The growing divide: security struggles to keep up with software development

Veracode's latest report highlights the widening gap between rapid software development and slower security measures, posing potential risks for organisations worldwide.

In its 2026 State of Software Security Report, Veracode, a global application risk management provider, highlights a widening gap between software development speed and security efforts. The report shows that 82% of organisations are dealing with security debt — an increase of 11% compared with the previous year.

Of those organisations, 60% are categorised as having “critical” security debt, meaning accumulated vulnerabilities that could cause significant damage if exploited. To address this, the report recommends adopting a “Protect, Prioritize, and Prove” approach to reduce risk in 2026 and beyond.

Now in its 16th edition, the report analysed more than 1.6 million unique applications across enterprises, commercial software suppliers, software outsourcing providers, and open-source projects globally. It identifies a clear imbalance between rapid development cycles and the pace at which vulnerabilities are remediated.

While detection capabilities have improved, unresolved vulnerabilities continue to accumulate. High-risk vulnerabilities have increased by 36% year-over-year, defined as flaws that are both severe and highly exploitable.

The findings suggest that high-risk vulnerabilities require stronger prioritisation, moving beyond generic severity scoring toward assessments based on real-world attack potential. Security debt is also influenced by greater reliance on open-source components, which account for 66% of the most persistent vulnerabilities.

To reduce these risks, Veracode recommends a strategic framework centred on Prioritize, Protect, and Prove, enabling organisations to focus on safeguarding their most critical systems and applications that hold essential data.

The report also notes the impact of AI on the landscape, introducing new high-risk vulnerability patterns while AI-driven remediation tools begin to offer additional support in closing gaps.

As organisations manage growing security debt, the emphasis is on prioritising the most significant risks rather than attempting to eliminate every vulnerability, while maintaining alignment with security and compliance requirements.
An examination of how Atlassian’s Rovo and Teamwork Graph introduce AI-driven automation into...
UK's pragmatic approach to AI automation prioritises pre-built solutions over bespoke development,...
Supermicro expands its AI edge computing solutions with Intel's advanced technologies, aiming to...
One Identity sets new course as an independent entity, focusing on identity governance with its...
The collaboration will focus on building a scalable, cloud-native digital infrastructure to support...
A surge in AI adoption results in increased security concerns across UK and US enterprises, despite...
N-able introduces Shadow AI Visibility to monitor AI tool usage, enhancing organisational security...
Vanquis integrates Freshservice to streamline service operations, marking a development in its...