Veracode

Over 85% of tasks related to Cryptographic Algorithms passed across the industry.

OpenAI’s GPT-5 Mini achieved a 72% pass rate on security tests, marking the highest recorded to date.

OpenAI’s standard GPT-5 achieved a 70% pass rate on security tests.

The pass rates for Log Injection vulnerabilities were near 12% across all evaluated models.

Qwen3 Coder achieved a 50% pass rate on security tests.

Google Gemini 2.5 Pro achieved a 59% pass rate on security tests.

Anthropic’s Claude Sonnet 4.5 achieved a 50% pass rate on security tests.

The pass rates for Cross-Site Scripting (XSS) vulnerabilities remained below 14% across all evaluated models.

xAI Grok 4 achieved a 55% pass rate on security tests.

OpenAI’s non-reasoning GPT-5-chat model delivered a 52% pass rate on security tests.

Open-source flaws account for over 82% of critical security debt at financial firms, despite third-party code representing only 17% of total security debt.

63% of banking, financial services, and insurance organizations reported harboring critical security debt in 2025, which is 13 percentage points higher than the cross-industry average.

Top-performing BFSI enterprises remediate over 9% of open flaws monthly, while lagging organizations have security debt in 85% or more of their applications.

77% of financial services organizations reported accruing some level of security debt.

The average flaw half-life for financial services organizations is 276 days, indicating it takes nearly a month longer to fix security issues than in other industries.

LLMs failed to secure code against cross-site scripting (CWE-80) in 86% of cases.

AI-generated code introduces security vulnerabilities in 45% of cases.

When given a choice between a secure and insecure method to write code, GenAI models chose the insecure option 45% of the time.

In 45% of all test cases, LLMs introduced vulnerabilities classified within the OWASP Top 10.

Java was found to be the riskiest language for AI code generation, with a security failure rate over 70%. Other major languages, such as Python, C#, and JavaScript, presented significant risk, with failure rates between 38 percent and 45 percent.

LLMs failed to secure code against log injection (CWE-117) in 88% of cases

Leading organisations keep open-source critical debt under 15 percent, while 100 percent of critical debt is open source in lagging organisations

Less than 17 percent of applications in leading organisations carry security debt, compared with more than 67 percent in lagging ones.

Top performers remediate half of flaws in five weeks; lower-performing organisations take longer than a year.

70% of security debt stems from third-party code and the software supply chain.

The average time to fix security flaws has increased from 171 days to 252 days over the past five years. This is an increase of 327 percent since the report’s first volume 15 years ago.

50 percent of organisations now carry critical security debt, which is defined as flaws left open for longer than a year.

The rate of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 has increased by 63 percent over the past five years. It has more than doubled in 15 years.

Leading organisations have flaws in fewer than 43 percent of applications, while lagging organisations exceed 86 percent.

Leading organisations resolve over 10 percent of flaws monthly, whereas laggards address less than 1 percent.