Critical Security Debt in Organizations 2025
Here’s a number worth pausing on: 252 days. That’s how long it now takes the average organization to fix a known security flaw. Not discover it — fix it. And that number has gone up 47% in just five years.
This comes from Veracode’s 2025 State of Software Security report, one of the more honest looks at where the industry actually stands. The picture isn’t pretty.
Half of all organizations now carry what the report calls “critical security debt.” That means high-severity, highly exploitable flaws that have sat unfixed for more than a year. Not minor bugs. Not theoretical risks. Flaws that attackers know how to use — and that your team hasn’t gotten to yet.
The Part That Should Worry You Most
You might expect most of that debt to come from in-house code. Code your developers wrote, shortcuts taken under deadline pressure, functions nobody wanted to refactor. That’s a familiar story.
But that’s not where 70% of critical security debt actually lives.
It lives in your dependencies. Your third-party packages. Your open-source libraries. The code you pulled in to save time, that came bundled inside the tools your vendors shipped you, that arrived quietly as a transitive dependency three layers deep.
Think of it like buying a house. You can inspect every room yourself. But what about the pipes in the walls? The wiring behind the drywall? The foundation poured before you were involved? You inherit all of it — and all the problems that come with it.
That’s the software supply chain. And right now, most organizations don’t have a clear picture of what they’ve inherited.
Why This Is Getting Worse, Not Better
There are two things accelerating this problem simultaneously.
The first is complexity. Modern software doesn’t just have dependencies — it has dependencies that have dependencies that have dependencies. A single application might pull in hundreds of components, each maintained by different teams with different security practices and different update schedules. Tracking all of that is genuinely hard.
The second is AI-assisted engineering. And this is the part of the conversation that doesn’t get said plainly enough: AI tools help developers ship faster. That’s real and valuable. But shipping faster also means pulling in more libraries, generating more code, and expanding your attack surface at a pace that your security team wasn’t built to handle.
More code, more dependencies, less time to review any of it. The debt compounds.
This Isn’t About Blame
It’s tempting to frame this as a developer problem or a security team problem. It isn’t either.
Security debt builds up the same way financial debt does — slowly, through reasonable decisions made under real constraints. A team hits a deadline and uses a third-party library instead of building from scratch. A dependency gets updated by its maintainer and nobody notices the new version introduced a vulnerability. A legacy component gets left in production because changing it means touching code nobody fully understands anymore.
None of those decisions are reckless. But they stack up. And 252 days is what it looks like when the stack gets tall enough.
The question isn’t how you got here. It’s whether you know where you stand.
What “Highly Exploitable” Actually Means
The phrase “critical security debt” sounds abstract until you understand what Veracode means by it. These aren’t low-probability, theoretical vulnerabilities. They’re flaws that are both high-severity — meaning a successful exploit causes serious damage — and highly exploitable, meaning attack methods are known, publicly documented, and actively used.
That’s the combination that matters. A serious flaw that’s hard to exploit gives you time. A known exploit path to a minor bug is probably not your biggest problem. It’s when those two things overlap that you’re in real danger.
And right now, half of all organizations have at least one of those overlaps sitting unfixed for over a year. In some cases, much longer.
Where to Start if You’re Behind
You probably can’t fix 252 days’ worth of debt this quarter. But you can stop pretending you don’t have it.
Start with visibility. You can’t prioritize what you can’t see. A software composition analysis (SCA) tool will give you a clear inventory of your dependencies and flag known vulnerabilities against public databases like the National Vulnerability Database. If you don’t have one, that’s your first step.
Then prioritize ruthlessly. Not everything in your backlog deserves the same urgency. Focus on the intersection of severity and exploitability — exactly the criteria Veracode uses to define critical debt. What’s in production? What’s customer-facing? What’s exploitable right now? Those get addressed first.
Build remediation into your workflow, not around it. Security debt grows when security lives outside the development process. If your developers only hear about vulnerabilities after the fact, you’re always playing catch-up. Shifting that feedback earlier — into the pipeline, during code review, before things ship — is what bends the curve.
And on the supply chain side: know what you’re inheriting. Maintain a software bill of materials (SBOM). Treat your third-party dependencies the way you’d treat any other risk in your business — with regular review and accountability.
The Honest Version of This Conversation
The 252-day average isn’t a number you can accept and move forward from unchanged. That’s not a backlog problem. That’s a structural one.
Organizations that are reducing that number aren’t doing it through heroics. They’re doing it by making security part of how software gets built — not a checkpoint at the end, not a separate team’s problem, not something to revisit after the next audit.
The supply chain risk is real and it’s growing. AI-accelerated development is genuinely useful and genuinely adds exposure. Both things are true at once.
You don’t have to solve it all this week. But the longer that clock runs, the more it costs — in remediation effort, in regulatory exposure, and eventually, in something worse.
Want to understand what your current security debt looks like — and where your biggest supply chain exposures are? Get in touch with the Eigen Security team.
