Full Report
Report claims more vulnerabilities created than fixed as remediation gap widens Veracode has posted its annual State of Software Security report, based on data from 1.6 million applications tested on its cloud platform, finding that more vulnerabilities are being created than are being fixed, and that high-velocity development with AI is making comprehensive security unattainable.…
Analysis Summary
# Industry News: Remediation Gap Widens as AI Accelerates Software Vulnerability Creation
## Summary
Veracode’s latest State of Software Security report indicates a critical widening of the security remediation gap, where the rate of vulnerability creation now exceeds the rate of fixing. This trend is exacerbated by the high velocity of development utilizing AI-generated code, leading to a conclusion that comprehensive security is becoming unattainable under current paradigms.
## Key Details
- Date: February 26, 2026 (Approximate based on article date)
- Companies Involved: Veracode (Reporting Body)
- Category: Market Analysis / Industry Report
## The Story
Veracode analyzed data from 1.6 million applications, revealing that "security debt"—known vulnerabilities left unresolved for over a year—now affects 82% of companies, up from 74% the previous year. Critically, the proportion of high-risk vulnerabilities (severe and likely exploitable) has increased from 8.3% to 11.3%. While the prevalence of open-source vulnerabilities has slightly decreased, the overarching problem is the accelerating pace of releases, coupled with increased technical complexity from AI-generated code, making deep remediation difficult. The report starkly warns that incremental improvements are insufficient and "transformational change [is] required."
## Business Impact
### For the Companies Involved
- **Veracode:** Reinforces its position as a leading source of objective application security metrics, adding urgency to the need for its comprehensive scanning and security management solutions.
### For Competitors
- Competitors offering fragmented AppSec testing or remediation solutions may find their offerings under increased scrutiny, as the data suggests current testing adoption alone is not solving the velocity problem.
### For Customers
- Organizations face escalating security risk exposure as technical debt grows faster than remediation efforts can handle. The increasing complexity of AI-generated code introduces unknown vectors that standard practices may fail to address.
### For the Market
- The findings signal a major pivot moment for the Secure Software Development Lifecycle (SSDLC). The industry must grapple with the fact that existing DevSecOps scaling practices are currently losing the battle against deployment velocity.
## Technical Implications
The integration of AI code generation presents a double-edged sword: while AI can help find flaws, the resulting code increases complexity, potentially leading to more difficult-to-diagnose or entirely novel vulnerabilities. Furthermore, AI tooling itself introduces risks like prompt injection that legacy testing methods may not fully capture. False positive generation by AI testing tools could also burn out human reviewers attempting to provide necessary oversight.
## Strategic Analysis
- Market Positioning: Veracode is positioning the narrative around the *limitations* of current high-velocity development, rather than just the *need* for testing. This shifts the focus from tool coverage to remediation effectiveness at scale.
- Competitive Advantage: Companies that can successfully integrate AI-assisted remediation and validation into their pipelines (e.g., by improving automated fix proposal quality) will gain a significant strategic edge.
- Challenges: The industry struggles to define and implement the "transformational change" required. Over-reliance on AI tools without robust human-in-the-loop governance is clearly failing to contain the problem.
## Industry Reactions
- **Analyst Opinions:** Analysts will likely view this as validation that tooling alone is insufficient; investment must shift heavily toward engineering culture shifts, clear security governance over AI usage, and verifiable remediation workflows.
- **Expert Commentary:** Expect experts to emphasize the importance of secure 'guardrailing' around AI coding assistants and stricter policies on code deployments that lack adequate, security-vetted human review.
- **Market Response:** Increased demand for solutions specializing in AI code security analysis and automated, high-confidence remediation.
## Future Outlook
- Expect increased focus on metrics tracking remediation *speed* and *success rate* rather than just vulnerability *detection* rates.
- The next evolution of Application Security Posture Management (ASPM) will need to heavily incorporate AI code governance features.
- The stated unattainability of comprehensive security suggests a bifurcation: either development velocity slows down, or security tooling necessitates fundamental, disruptive breakthroughs (e.g., guaranteed security properties verification).
## For Security Professionals
Practitioners must advocate for stricter policies on AI code integration, focusing effort on validating AI-generated code for subtle, high-risk vulnerabilities that automated scanners might miss. Prioritizing the remediation of high-risk "security debt" must become a non-negotiable executive mandate, as ignoring it leads directly to unacceptable risk posture.