As the CEO of AppSecAI and former CEO of Contrast Security, I've been closely following the trends in application security for years. The recently released Veracode State of Software Security (SOSS) 2025 report provides the real data from over 15 years, offering insights into the current landscape of application security and confirms many of the challenges we've been working to address at AppSecAI.
The Veracode SOSS 2025 report highlights a concerning trend: security debt is continuing to rise across organizations. The report defines security debt as flaws that remain unfixed for over a year, and the statistics are sobering:
What's particularly troubling is that this increase is happening despite improvements in other areas. For example, the percentage of applications with no OWASP Top 10 vulnerabilities has increased from 32% to 52% in the last five years. This suggests that while organizations are making progress in preventing new flaws, they're struggling to address their existing backlog.
A critical insight from the Veracode webinar is that while the percentage of applications with flaws has decreased in recent years, the raw number of security flaws is actually increasing. This paradox is explained by the dramatic growth in the total number of applications being created and scanned:
Veracode CTO Chris Wysopal noted in the webinar discussion: The OSWASP top 10 pass rate is 52 percent, that's 52 percent of 457,000 apps as opposed five years ago, where it was 32 percent of 85,000 apps.
This means that while security is improving on a percentage basis, the actual volume of security vulnerabilities in the wild continues to grow. This volume challenge further underscores why automated approaches to security are becoming essential.
In the webinar introducing the report, Wysopal said:
“The difference with AI generated code is it's much faster, right? So it gives a developer up to 50 percent productivity boost. So if we just sort of average on that, we're getting 50 percent more code that has the same vulnerability density. We're getting we're getting 50 percent more vulnerabilities.
And now we have to remediate those to get to our OWASP passing or no critical debt. And so remediation is definitely getting harder, and we need to tackle that with AI based fixing with tools that are AI based tools that that know how to fix code and are good at remediating vulnerabilities. So I think we're in a phase where we're seeing a spike from AI generated code that's going to go up, and hopefully it'll come down again. When people start adopting tools to automate remediation.”
The SOSS 2025 report makes it clear that the status quo in application security is unsustainable. The increasing remediation timelines and growing security debt demonstrate that organizations need new approaches to keep pace with modern development.
At AppSecAI, we believe that automation is the key to transforming application security from an expensive drag on the business to a strategic advantage. By eliminating the manual triage bottleneck and accelerating remediation, we're helping organizations secure their entire application portfolio at scale.
The rise of security debt isn't inevitable—it's a problem we can solve with the right tools and approach. As we continue to develop our AI-powered security automation platform, we're committed to helping organizations overcome these challenges and build more secure applications more efficiently and bring them to market faster.
For more information about how AppSecAI can help your organization eliminate false positives and automate remediation, visit www.appsecai.io or contact us at automation@appsecai.io.
Bruce Fram
CEO and Founder, AppSecAI