X
Half ๐ผ๐ณ ๐ผ๐ฟ๐ด๐ฎ๐ป๐ถ๐๐ฎ๐๐ถ๐ผ๐ป๐ ๐ฎ๐ฟ๐ฒ ๐ฐ๐ฎ๐ฟ๐ฟ๐๐ถ๐ป๐ด ๐๐ป๐ฟ๐ฒ๐๐ผ๐น๐๐ฒ๐ฑ ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐ฑ๐ฒ๐ฏ๐ โ ๐ฎ๐ป๐ฑ 70% ๐ผ๐ณ ๐ถ๐ ๐ฐ๐ผ๐บ๐ฒ๐ ๐ณ๐ฟ๐ผ๐บ ๐๐ต๐ถ๐ฟ๐ฑ-๐ฝ๐ฎ๐ฟ๐๐ ๐ฐ๐ผ๐ฑ๐ฒ, according to Veracodeโs 2025 State of Software Security.
In this 5-minute video, Jeff Williams, CTO and Founder of Contrast Security, breaks down the data:
50% of orgs have critical flaws still open after a year
70% of that debt is tied to open-source and third-party libraries
Fix times now average 252 days โ up 47% in five years
AI is accelerating code delivery โ and introducing new vulnerabilities.
๐ง๐ต๐ฒ ๐๐ฎ๐ธ๐ฒ๐ฎ๐๐ฎ๐:
Security debt isnโt just a backlog โ itโs a signal of trade-offs between speed, tooling and ownership that compound risk over time.
Jeff Williams is the Founder and Chief Technology Officer of Contrast Security. Jeff brings more than 20 years of security leadership experience as Co-Founder and Chief Technology Officer of Contrast. Previously, Jeff was Co-Founder and Chief Executive Officer of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for eight years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from the University of Virginia, an MA from George Mason, and a JD from Georgetown.
Jeff Williams:
Yeah. It's not a great time to be an AppSec analyst or a SecOps researcher. Like, it's just it's, it's tough work, and it's not fair. What we're asking those people to do.
It's a very stressful job. They go home. You know, they're trying to protect companies and consumers, and it's not a sustainable situation. So we've gotta do something to change the curve.
Jake Milstein:
Hey, everybody. My name is Jake Milstein. I'm here with the founder of Contrast Security, Jeff Williams. Jeff, good to see you today.
Jeff:
Hey, Jake. What's going on?
Jake:
Yeah. And I mean, we just heard from the analysts at IDC that in their latest study, I'm not sure whether it's out yet, but ninety one percent of organizations are using AI to help code at this point. So the other side of the text. Right? That they're using AI assistance in some way.
Is that code more secure?
Jeff:
Well, no. I mean, there's studies that show that it's not more secure, but I suspect it's roughly equivalent to code that humans create. And that's not surprising because it's trained on code that humans created with lots of vulnerabilities in it. And so, unfortunately, we're not likely to do much better than that at least in the foreseeable future.
And, you know, if you if you created that and you had AI go you know, let's say the AI was twice as secure, half as many vulnerabilities as a human, You know, you're still gonna want the AI to code faster. So don't you just end up with more vulnerabilities in the end, and they're just coming at you faster?
Yeah. Even if it was twice as good at security but produced twice the amount of code, you'd still end up with the same net number of vulnerabilities. So it's not really helping.
Yeah. It's complicated, but I think AI, you know, using AI to help write code is here to stay. The productivity gains are just too big to ignore, so that's what people are gonna do. So now we gotta adapt to, you know, drinking from an even bigger fire hose.
Jake:
One of the things that came out in the last week is the Veracode state of software security report. And, you know, they do this every year and, you know, they come out. They have really, really interesting findings in there. And, you know, it says it's seventy it says seventy percent of orgs are drowning in security debt. It's just it is an unsustainable problem to think that, you know, those orgs are drowning in security debt. And, you know, on the other side, security operation centers are drowning in false positives and the inability to see what's happening in the application layer.
Jeff:
Yeah. It's not a great time to be an AppSec analyst or a SecOps researcher. Like, it just it's, it's tough work, and it's not fair what we're asking those people to do. That's a very stressful job. They go home. You know, they're trying to protect companies and consumers, and it's not a sustainable situation. So we've gotta do something to change the curve.
You know, over the last year, I've probably talked to fifty CISOs and a bunch of SOC analysts.
And in most cases, even if they have a WAF and even if that WAF is pumping the data into Splunk or whatever, they're not looking at it because it's so noisy. It's almost impossible to figure out the signal from the noise.
And, also, they have a misunderstanding that, you know, oh, my EDR will find it. You know? Yeah. It might not find it in the very beginning, but it'll find it later. And one of the things that we've found is that eighty percent of AppSec attacks sail right past EDR, and they do not detect it until, frankly, it's way too late, and the data is already being exfiltrated.
Jake:
Alright. Well, Jeff, thank you for joining me today. Folks, we're gonna talk to you again soon. Looking forward to talking to you again on video, Jeff. See you soon.
Jeff:
Thanks, Jake.
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo