Kubernetes 1.33 was released today.
Enterprises across the world are under attack, and it's getting harder for them to defend themselves.
According to Verizon's Data Breach Investigations Report, exploitation of software vulnerabilities as the critical path to initiate a breach has surged 180% in the past year. This spike in exploitation coincides with rising security debt and increasingly intricate attack surfaces. The situation is further complicated by a poorly kept secret in the software engineering world: the use of artificial intelligence to generate code, which is on the rise with most development teams — whether they'll admit it or not.
The regulatory landscape is also evolving rapidly. The EU's Cyber Resilience Act went into effect in December 2024 and has real teeth, serving as a market entry barrier for products deemed non-compliant. Here in the US, new rules from the Securities and Exchange Commission (SEC) combined with Biden-era executive orders have propelled companies to adopt prevention strategies based on Zero Trust network architectures and Secure by Design principles.
The regulatory pressures facing companies have made a difference. Recent data from Veracode's 2025 State of Software Security (SoSS) report shows that the percentage of applications passing the Open Worldwide Application Security Project (OWASP) Top 10 tests has increased by 63% over the past five years — a significant improvement. More notably, the prevalence of high-severity flaws has been cut in half over the past decade, demonstrating tangible progress in secure software development practices.
The Growing Threat of Security Debt
Unfortunately, regulations are not a silver bullet. Despite measurable improvements, security debt — defined as flaws that remain unfixed for more than a year after discovery — continues to put enterprises at risk. Security debt impacts almost three-quarters (74.2%) of organizations, up from 71% in previous measurements. More frighteningly, half of all organizations suffer from critical security debt: a dangerous combination of high-severity, long-unresolved flaws.
There's a reason it is described as critical debt: the longer a security flaw survives within an enterprise, the less likely it will be resolved. Today, more than a quarter (28%) of flaws remain open two years after discovery, and even after five years, 9% of flaws still linger in applications. The time it takes to fix just 50% of discovered enterprise security vulnerabilities checks in at just over eight months.
Perhaps more concerning is that severity isn't a major driver of remediation for most teams. Critical flaws are addressed only about a month sooner than less severe findings, which tells us that organizations aren't always prioritizing the most dangerous vulnerabilities. And more bad news: the average number of days to fix flaws has increased by 47% over the past five years — a clear indication that remediation timelines are getting longer, not shorter.
Third-Party Code Amplifies Security Risks
Applications are only as secure as the code used to write them, and security flaws are a fact of life in every code base in the world. That being said, the origin of the code that is being used matters. Leveraging third-party code has become standard practice across the industry, which introduces added risks. The report revealed roughly 70% of tested applications contain flaws in third-party code — 6% higher than the flaw prevalence for code written by in-house developers. Furthermore, when examining critical security debt, 70% is introduced by third-party code and the software supply chain.
While this doesn't mean every line of code needs to be developed in-house, it underscores the importance of evaluating open-source code libraries before incorporating them into a project's code base. The significance of detecting and mitigating malicious packages before they enter the build process cannot be overstated.
Wide Disparities in Application Security Performance
The reality is that no organization achieves perfection in application security. On average, security flaws are present in roughly two-thirds of applications across most enterprises. The most security-mature leaders manage to keep flaw prevalence below 43%. On the other end of the spectrum, lagging organizations struggle, with 86% (or more) of their applications containing security flaws.
Fix capacity — the percentage of flaws remediated monthly — also varies dramatically across organizations. Leading teams consistently fix more than 10% of their flaws each month, while low performing companies clock in at just 1%. This stark difference in remediation capacity directly impacts an organization's security posture over time. Those on the lower end of the spectrum can't help but rack up more and more security debt as time goes by.
A Two-Pronged Approach to Maturing Software Security
Regardless of whether you're a high-performing company, somewhere in the middle, or lagging, every organization has room for improvement. To mature software security program efforts in a way that aligns with business objectives, companies need to adopt a two-pronged approach that starts with visibility and integration across the software development life cycle (SDLC) to prevent new flaws through automation and feedback loops. This involves continual scanning as developers write code, enabling development teams to catch and remediate issues before they become a problem.
Secondly, organizations need the ability to correlate and contextualize findings in a single view to prioritize their backlog based on context. This allows companies to reduce the most risk with the least effort. Since the average time to fix flaws has increased dramatically, programs seeking to improve their security posture must focus on the findings that matter most in their specific context. If everything is a priority, nothing is a priority; this approach underscores the idiom.
It's not all doom and gloom for security teams tasked with software security; there is a silver lining. With advances in AI, a sustainable process for continual remediation has become more achievable. So much existing security debt stems from simple, easily detected flaws that AI can address and stamp out at scale. In fact, high-performing teams are already using these capabilities to boost their fix capacity and speed.
Addressing the issue is a simple matter of proper prioritization. By focusing security teams on security debt and training them to implement fixes or leverage AI effectively, companies can reduce existing vulnerabilities significantly. At the same time, they can slow security debt accumulation across the organization, improving security posture and mitigating their risk of exploitation.
Industry News
Docker announced a major expansion of its AI initiative with the upcoming Docker MCP Catalog and Docker MCP Toolkit.
Perforce Software announced the release of its latest platform update for Puppet Enterprise Advanced, designed to streamline DevSecOps practices and fortify enterprise security postures.
Azul announced JVM Inventory, a new feature of Azul Intelligence Cloud designed to address the complexity and risk of migrating off Oracle Java.
LaunchDarkly announced the acquisition of Highlight, a powerful, open source, full-stack application monitoring platform known for its error monitoring, logging, distributed tracing and session replay capabilities.
O’Reilly announced AI Codecon—a groundbreaking virtual conference series dedicated to exploring the rapidly evolving world of AI-assisted software development.
Veracode unveiled new capabilities offering proactive risk mitigation and automated security at enterprise scale.
Snyk launched Snyk API & Web, delivering a dynamic application security testing (DAST) solution designed to meet the growing demands of modern and increasingly AI-powered software development.
Check Point® Software Technologies Ltd. announced that it has ranked as a Leader and the only Outperformer for its Check Point Quantum Security Solutions in GigaOm’s latest Radar for Enterprise Firewall report.
Postman announced new releases designed to help organizations build APIs faster, more securely, and with less friction.
SnapLogic announced AgentCreator 3.0, an evolution in agentic AI technology that eliminates the complexity of enterprise AI adoption.
GitLab announced the general availability of GitLab Duo with Amazon Q.
Perforce Software and Liquibase announced a strategic partnership to enhance secure and compliant database change management for DevOps teams.
Spacelift announced the launch of Saturnhead AI — an enterprise-grade AI assistant that slashes DevOps troubleshooting time by transforming complex infrastructure logs into clear, actionable explanations.
CodeSecure and FOSSA announced a strategic partnership and native product integration that enables organizations to eliminate security blindspots associated with both third party and open source code.