Veracode’s 2025 State of Software Security report reveals that half of organizations now carry critical security debt-defined as high-severity, highly exploitable flaws that have remained unfixed for more than a year. Alarmingly, 70% of this critical debt stems from third-party code and the broader software supply chain, underscoring the growing risks introduced by dependencies and open-source components.
This trend has been accelerated by the increasing complexity of software ecosystems and the rapid adoption of AI engineering, which expands the attack surface and makes it harder for organizations to keep pace with remediation. The report also highlights a concerning rise in the average time to fix security flaws, now at 252 days-47% longer than just five years ago.
These findings align closely with the discussions in the latest book “The CISO & CTO Guide to The Self-Building AI Metropolis“, which emphasizes the urgent need for new governance models and strategic approaches to address the “vulnerability cascade” created by third-party and AI-generated code. Both the Veracode research and the book argue that traditional controls are no longer sufficient; organizations must prioritize supply chain security, accelerate remediation, and adopt more mature risk management practices to effectively reduce security debt and protect against modern threats.
The book, “The CISO & CTO Guide to The Self-Building AI Metropolis“, authored by Haroon Mansoori, is designed to help CISOs, CTOs, and security teams rethink governance, close the perception gap, and build strategies that actually work in this new era of AI-powered software. If you’re concerned about the “vulnerability cascade” that AI can unleash, or just want practical ways to secure your organization as AI transforms development, I invite you to check it out. Let’s build a safer AI future-together.