Industry reports highlight growing software security debt and DevSecOps supply-chain exposure
Recent industry reporting based on Veracode’s 2026 State of Software Security findings indicates security debt—defined as known vulnerabilities left unresolved for more than a year—has become a widespread governance and risk-management issue for CISOs. Across analysis of 1.6 million unique applications assessed via static/dynamic analysis, SCA, and penetration testing, Veracode reported security debt present in 82% of organizations (up from 74% in 2025) and critical security debt in 60% (up from 50%), reflecting that long-lived, high-severity/high-exploitability issues are increasingly persisting across release cycles, particularly in legacy or high-dependency code where teams are reluctant to make changes.
Separately, Datadog’s State of DevSecOps 2026 reporting describes software supply-chain and pipeline practices that sustain this exposure in cloud-native environments: 87% of organizations were observed running at least one exploitable vulnerability in production services, affecting 40% of those services. The report highlights growing dependency lag (median 278 days behind the latest major version, up from 215 days) while also noting a countervailing risk pattern where half of organizations adopt third-party libraries within one day of release, increasing the chance of ingesting malicious or insufficiently vetted code; it also flags build/pipeline surface area (e.g., widespread GitHub Actions usage) as part of the broader DevSecOps risk picture.
Sources
Related Stories
Supply Chain and Vulnerability Data Gaps Undermining Security Programs
A recent ISC2 survey of over 1,000 cybersecurity professionals highlights growing concern about the risks introduced by expanding vendor ecosystems and supply chain sprawl. Nearly 70% of organizations are worried about third-party supplier risks, with the highest concern in enterprises and sectors handling sensitive data such as finance and government. Lack of visibility into vendor and subcontractor security practices remains a critical challenge, with many organizations relying on trust rather than verification. One in three respondents reported experiencing a vendor-related security incident in the past two years, yet almost half did not feel a direct impact, raising questions about continuity and the reliability of vendor security claims. Compounding these risks, a Sonatype analysis reveals that the vulnerability scoring infrastructure, particularly the NVD and CVE programs, is failing to keep pace with modern software development practices. In 2025, 64% of open source CVEs lacked a CVSS score in the NVD, forcing security teams to make risk decisions with incomplete data. Discrepancies in severity ratings and significant delays—averaging six weeks between disclosure and scoring—undermine the effectiveness of automated security tools and response cycles. These gaps in both supply chain visibility and vulnerability intelligence are eroding confidence in the data that underpins security programs, increasing the likelihood of both missed threats and wasted resources.
3 months ago
Open-Source Supply-Chain Risk Amplified by AI-Accelerated Development and Automation
Software supply-chain compromise continued to blend into normal development activity, with attackers exploiting the speed and trust of modern workflows—third-party dependencies, automated updates, and rapid release cycles—to distribute malware and steal credentials. A ReversingLabs study covering 2025 open-source ecosystems reported **npm** as the dominant distribution channel for malicious packages, including incidents where attackers **compromised maintainer accounts** and shipped tainted updates that propagated quickly into downstream projects via routine dependency updates and CI/CD processes. One highlighted case was the **Shai-hulud** worm, described as a registry-native, self-propagating threat that used **stolen credentials** to inject malicious code into **hundreds of packages**, exposing **tens of thousands of downstream repositories** and complicating detection because it did not rely on external infrastructure. In parallel, commentary on generative AI’s impact on software delivery emphasized that faster code production and release pressure can increase security debt: reported industry claims that **20–30% of code** at major firms is AI-generated, alongside estimates that a large share of AI-generated code can introduce **OWASP Top 10**-class weaknesses, reinforcing the need for stronger testing and controls as development velocity increases.
1 months ago
Black Duck Report Finds Open-Source Vulnerabilities per Commercial Codebase More Than Doubled
Black Duck’s **2026 Open Source Security and Risk Analysis (OSSRA)** report found a sharp rise in open-source security debt across commercial software, with **mean vulnerabilities per audited codebase increasing from ~280 to 581** (a **107%** jump) and **unique vulnerabilities averaging ~237**. The report attributes the increase to expanding codebase size and dependency complexity—e.g., more files per codebase and more open-source components—while also pointing to **AI coding assistants** as a likely contributor to accelerated code volume growth and repeated inclusion of widely used libraries with long vulnerability histories. Across the audited population (hundreds of codebases spanning multiple industries), the share of codebases containing at least one vulnerability remained consistently high (mid-to-high 80% range), but the **absolute number of findings surged**, including extreme outliers with **tens of thousands** of vulnerabilities in a single codebase. The report also notes that **high/critical-severity issues remain common** (most codebases have at least one high-risk issue; nearly half have at least one critical issue), and highlights broader ecosystem factors increasing disclosure volume (e.g., the Linux kernel becoming a **CVE Numbering Authority**) alongside ongoing **software supply chain attack** pressure, including malicious or compromised packages in major ecosystems.
2 weeks ago