– Two Thirds of EMEA Organizations Grapple with Security Debt and Nearly Half Have
Debt Considered “Critical”
– 80% of Third-party Code Has Critical Security Debt—Significantly Higher Than the
Global Averag
Veracode , a global leader in application risk management,
today unveiled the EMEA snapshot of its annual State of Software Security (SoSS) 2024 report,
revealing worrying levels of security debt in organizations across Europe, the Middle East and
Africa.
Veracode’s research found 68 percent of EMEA organizations harbor some level of security
debt, while 46 percent have high-severity persistent flaws in code, classified as ‘critical’ security
debt. These high-severity flaws represent the greatest risk to applications and are a ticking time
bomb with the potential for catastrophic breaches.
In a world where every interaction with an application can be a potential entry point for cyber
attackers, understanding and managing security debt is more crucial than ever. Security debt,
defined for this report as software flaws that remain unfixed for longer than a year, can build up
when developers lack time or resources to address potentially dangerous flaws. Over time, these
flaws accumulate, making organizations increasingly vulnerable to attackers.
Chris Eng, Chief Research Officer at Veracode, said, “The findings of this year’s EMEA SoSS
report are a wake-up call for organizations in the region. Businesses should have a laser focus on
remediating critical security debt first, given these flaws present the highest risk.”
Developers tasked with triaging and fixing flaws manually often fall short in tackling growing
security debt, with slow remediation timelines and prioritization to blame. Analysis of
remediation timelines in EMEA found it takes organizations using manual methods an average
of 19 months to remediate flaws in third-party code, compared to nine months for first-party
code. With such a vast number of flaws to address, organizations must prioritize which
vulnerabilities to fix first, especially critical flaws.
When it comes to sources of security debt, the report found 84 percent of security debt overall
comes from first-party code developed in-house. Meanwhile, 80 percent of critical security debt
stems from third-party code, which often flies under the radar but can be just as dangerous for
EMEA organizations. Crucially, the critical security debt statistic is considerably higher than the
global rate of 65 percent.
Leveraging AI for Vulnerability Remediation
While AI code generators are increasingly used by developers to create software because of the
speed and efficiency they bring, they don’t always produce secure code. Indeed, recent research
found 36 percent of code generated by the AI-powered GitHub CoPilot tool contained security
flaws.
AI can also be used to burn down security debt, supporting developers and security teams by
dramatically reducing the time to fix vulnerabilities. Eng said, “AI-powered remediation tools
can save teams a significant amount of time by automating fix recommendations and tackling
flaws at scale. For example, our AI-powered remediation solution, Veracode Fix, has slashed fix
times for common vulnerabilities from days to minutes, significantly enhancing developer
productivity.”
Mitigating Security Debt in a Complex Environment
With three fifths (60 percent) of all flaws in EMEA organizations considered neither security
debt nor critical severity, it becomes easier and more manageable for developers to focus on
fixing the four percent that constitutes the highest risk. Once addressed, organizations can then
go on to tackle non-critical security debt or more recent critical flaws, based on their risk
tolerance and capabilities.
For those seeking prioritization guidance on security debt, Application Security Posture
Management (ASPM) tools can continuously track risk through the collection, analysis and
prioritization of security issues across the software development cycle.
ASPM tools have become more popular as they offer a comprehensive, unified view of risk
across application stacks, and facilitate the remediation of issues. Longbow, powered by
Veracode, delivers ASPM to get to the root cause of the issue through contextual analysis and
suggests the best next actions to reduce the most risk with the least amount of effort.
Eng closed, “The prevalence of security debt among EMEA organizations highlights the need for
immediate action to protect businesses against future breaches. Security leaders and developers
should focus on patching the most critical flaws that introduce the most risk given their context.
AI-powered security solutions that scale remediation efforts will enable teams to tackle their
growing security debt more efficiently and reduce the amount of time vulnerabilities can be
exploited.”