State of Software Security 2025

Leading organisations keep open-source critical debt under 15 percent, while 100 percent of critical debt is open source in lagging organisations

Less than 17 percent of applications in leading organisations carry security debt, compared with more than 67 percent in lagging ones.

Top performers remediate half of flaws in five weeks; lower-performing organisations take longer than a year.

70% of security debt stems from third-party code and the software supply chain.

The average time to fix security flaws has increased from 171 days to 252 days over the past five years. This is an increase of 327 percent since the report’s first volume 15 years ago.

50 percent of organisations now carry critical security debt, which is defined as flaws left open for longer than a year.

The rate of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 has increased by 63 percent over the past five years. It has more than doubled in 15 years.

Leading organisations have flaws in fewer than 43 percent of applications, while lagging organisations exceed 86 percent.

Leading organisations resolve over 10 percent of flaws monthly, whereas laggards address less than 1 percent.