Managing Security Debt: A Growing Governance Concern for CISOs

Security Debt Accumulation: A Growing Governance Concern

The accumulation of unresolved vulnerabilities, known as security debt, has become a pressing governance concern for chief information security officers (CISOs). According to Veracode’s 2026 State of Software Security Report, the backlog of security issues continues to grow across large development portfolios.

Report Findings

The report analyzed 1.6 million unique applications that underwent various security assessments, including static analysis, dynamic analysis, software composition analysis, and manual penetration testing. The scope of the analysis spanned commercial software suppliers, outsourcers, and open source projects, providing a comprehensive view of different delivery models and codebases.

Security debt refers to known vulnerabilities that remain unresolved for more than a year. This measure captures the accumulated exposure that persists across multiple development seasons, even as scanning coverage and detection improve. The definition distinguishes between routine remediation work and backlog items that have survived several planning cycles, including repeated deferrals during roadmap changes and release freezes.

The report found that 82% of organizations had security debt in 2026, up from 74% in 2025. This metric indicates the share of organizations with at least one known issue aging past a year, pointing to a broad backlog problem across the industry. Critical security debt, which refers to long-lived flaws with high severity and high exploitability, also increased, affecting 60% of organizations in 2026, up from 50% in 2025.

Reducing Security Debt

Wysopal advocated for changes in investment and policy to achieve sustained progress. “By shifting investment toward automation and AI-assisted fixes, prioritizing ‘crown jewel’ applications, formalizing risk acceptance, and enforcing policies like ‘fix high risk before release,’ organizations can maintain safe and resilient systems.”

Measurable Governance Targets

The report also highlighted the need for measurable governance targets. For example, an organization could aim to reduce critical security debt by 25% over six months, cut the average age of high-risk vulnerabilities in half, and ensure high-risk vulnerabilities in crown-jewel applications remain less than 10%.

Vulnerability Prevalence and Prioritization

The prevalence of vulnerabilities across applications remained high, with 78% of applications containing flaws in 2026. The concentration of vulnerabilities rated as both highly severe and highly exploitable increased to 11.3% in 2026, up from 8.3% in 2025. This shift reflects the growing operational risk, especially when combined with externally reachable services and widely deployed dependencies.

Prioritization has become an operational discipline when remediation capacity remains constrained. Programs need a repeatable way to tie issues to business criticality, reachable attack paths, and runtime exposure, so teams can focus effort on the highest impact weaknesses in the systems that matter most.

The report also highlighted the need for changes in metrics and tooling to support this shift. “CISOs should shift metrics from counting total vulnerabilities to measuring reduction in exploitable risk. To sustain development velocity and make remediation seamless, integrate automated fixes directly into development workflows and leverage Application Security Posture Management tools to unify and prioritize findings.”

Remediation and Governance

Remediation remains slow, with the average fix speed across all scan types taking 243 days in 2026, down from 252 days in 2025. Third-party critical debt measured 66% in 2026, down from 70% in 2025, highlighting the need for dependency governance as a central control area for many AppSec and product security programs.

About Author

Vaibhav

See author's posts