Industry reports highlight growing software security debt and DevSecOps supply-chain exposure
Recent industry reporting based on Veracode’s 2026 State of Software Security findings indicates security debt—defined as known vulnerabilities left unresolved for more than a year—has become a widespread governance and risk-management issue for CISOs. Across analysis of 1.6 million unique applications assessed via static/dynamic analysis, SCA, and penetration testing, Veracode reported security debt present in 82% of organizations (up from 74% in 2025) and critical security debt in 60% (up from 50%), reflecting that long-lived, high-severity/high-exploitability issues are increasingly persisting across release cycles, particularly in legacy or high-dependency code where teams are reluctant to make changes.
Separately, Datadog’s State of DevSecOps 2026 reporting describes software supply-chain and pipeline practices that sustain this exposure in cloud-native environments: 87% of organizations were observed running at least one exploitable vulnerability in production services, affecting 40% of those services. The report highlights growing dependency lag (median 278 days behind the latest major version, up from 215 days) while also noting a countervailing risk pattern where half of organizations adopt third-party libraries within one day of release, increasing the chance of ingesting malicious or insufficiently vetted code; it also flags build/pipeline surface area (e.g., widespread GitHub Actions usage) as part of the broader DevSecOps risk picture.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Datadog highlights dependency lag and CI/CD supply chain weaknesses
Datadog's State of DevSecOps 2026 report found that exploitable vulnerabilities remained common in cloud-native production environments due to outdated third-party dependencies and weak pipeline governance. It also identified risky rapid adoption of new libraries and widespread insecure GitHub Actions practices, including failure to pin actions to specific commit hashes.
Veracode reports rising security debt in 2026 software portfolios
Veracode's 2026 State of Software Security Report found that security debt remained widespread and increased across assessed applications, with 82% of organizations carrying vulnerabilities unresolved for more than a year and 60% carrying critical security debt. The report also noted 78% of applications still had vulnerabilities and that highly severe, highly exploitable flaws rose year over year.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Supply Chain and Vulnerability Data Gaps Undermining Security Programs
A recent ISC2 survey of over 1,000 cybersecurity professionals highlights growing concern about the risks introduced by expanding vendor ecosystems and supply chain sprawl. Nearly 70% of organizations are worried about third-party supplier risks, with the highest concern in enterprises and sectors handling sensitive data such as finance and government. Lack of visibility into vendor and subcontractor security practices remains a critical challenge, with many organizations relying on trust rather than verification. One in three respondents reported experiencing a vendor-related security incident in the past two years, yet almost half did not feel a direct impact, raising questions about continuity and the reliability of vendor security claims. Compounding these risks, a Sonatype analysis reveals that the vulnerability scoring infrastructure, particularly the NVD and CVE programs, is failing to keep pace with modern software development practices. In 2025, 64% of open source CVEs lacked a CVSS score in the NVD, forcing security teams to make risk decisions with incomplete data. Discrepancies in severity ratings and significant delays—averaging six weeks between disclosure and scoring—undermine the effectiveness of automated security tools and response cycles. These gaps in both supply chain visibility and vulnerability intelligence are eroding confidence in the data that underpins security programs, increasing the likelihood of both missed threats and wasted resources.
May 6, 2026
Open-Source Supply-Chain Risk Amplified by AI-Accelerated Development and Automation
Software supply-chain compromise continued to blend into normal development activity, with attackers exploiting the speed and trust of modern workflows—third-party dependencies, automated updates, and rapid release cycles—to distribute malware and steal credentials. A ReversingLabs study covering 2025 open-source ecosystems reported **npm** as the dominant distribution channel for malicious packages, including incidents where attackers **compromised maintainer accounts** and shipped tainted updates that propagated quickly into downstream projects via routine dependency updates and CI/CD processes. One highlighted case was the **Shai-hulud** worm, described as a registry-native, self-propagating threat that used **stolen credentials** to inject malicious code into **hundreds of packages**, exposing **tens of thousands of downstream repositories** and complicating detection because it did not rely on external infrastructure. In parallel, commentary on generative AI’s impact on software delivery emphasized that faster code production and release pressure can increase security debt: reported industry claims that **20–30% of code** at major firms is AI-generated, alongside estimates that a large share of AI-generated code can introduce **OWASP Top 10**-class weaknesses, reinforcing the need for stronger testing and controls as development velocity increases.
Mar 21, 2026
Black Duck Report Finds Open-Source Vulnerabilities per Commercial Codebase More Than Doubled
Black Duck’s **2026 Open Source Security and Risk Analysis (OSSRA)** report found a sharp rise in open-source security debt across commercial software, with **mean vulnerabilities per audited codebase increasing from ~280 to 581** (a **107%** jump) and **unique vulnerabilities averaging ~237**. The report attributes the increase to expanding codebase size and dependency complexity—e.g., more files per codebase and more open-source components—while also pointing to **AI coding assistants** as a likely contributor to accelerated code volume growth and repeated inclusion of widely used libraries with long vulnerability histories. Across the audited population (hundreds of codebases spanning multiple industries), the share of codebases containing at least one vulnerability remained consistently high (mid-to-high 80% range), but the **absolute number of findings surged**, including extreme outliers with **tens of thousands** of vulnerabilities in a single codebase. The report also notes that **high/critical-severity issues remain common** (most codebases have at least one high-risk issue; nearly half have at least one critical issue), and highlights broader ecosystem factors increasing disclosure volume (e.g., the Linux kernel becoming a **CVE Numbering Authority**) alongside ongoing **software supply chain attack** pressure, including malicious or compromised packages in major ecosystems.
Mar 21, 2026