From Lagging to Leading: The New View of Software Security Maturity in 2025

The State of Software Security (SoSS) 2025: A New View of Maturity, our 15^th year publishing the report, highlights a critical shift in how organizations approach security maturity. This transition focuses on major risks and uses continuous feedback loops to identify and mitigate them. 

Key metrics such as flaw prevalence, fix capacity, fix speed, debt prevalence, and open-source debt are essential for benchmarking and improving security maturity. These metrics provide a clear picture of where organizations stand and what steps are necessary to improve their security posture.  

Moreover, new cybersecurity regulations, such as the EU’s Cyber Resilience Act and the U.S. Biden Cybersecurity Executive Order, are playing an important role in driving positive changes. These regulations focus on robust security controls, transparency, and disciplined risk management, contributing to a significant improvement in the OWASP Top 10 pass rate, which has risen from 32% to 52% over the past five years. 

In this blog, we will explore these key metrics and strategies, providing actionable insights and benchmarks to help your organization move from lagging to leading in the domain of software security. 

The Metrics of Security Maturity 

The following data from the 2025 SoSS report is a comparison of the top 25% and bottom 25% of organizations against five key metrics we’ve observed indicate the maturity of an organization at finding and fixing flaws in a way that systematically drives down risk. 

1. Flaw Prevalence 
   • Definition and Importance: Flaw prevalence refers to the percentage of applications that contain at least one unresolved security flaw in their latest scan. A higher flaw prevalence does indicate more security risks, especially if the remediation efforts are too slow to keep up with it.  
   • Comparison: Leading organizations have a flaw prevalence below 43%, demonstrating their ability to both identify and address vulnerabilities more effectively. Lagging organizations have a flaw prevalence of 86% or more. 

2. Fix Capacity 
   • Definition and Importance: Fix capacity refers to an organization’s ability to address and fix security vulnerabilities within a given timeframe, typically measured in months. 
   • Comparison: Leading organizations have a fix capacity above 10% of flaws monthly, while lagging fix less than 1% monthly. 

3. Fix Speed 
   • Definition and Importance: Fix speed measures how quickly an organization can address and resolve security vulnerabilities once they are identified. Faster fix speeds reduce both security debt and the window of opportunity for attackers.
   • Comparison: Leading organizations fix half of flaws in 5 weeks or less, while lagging organizations fix half of flaws in over a year. 

4. Debt Prevalence 
   • Definition and Importance: Security debt prevalence measures the accumulation of unresolved security issues that remain unresolved for over a year. High security debt can lead to increased risk and potential breaches. 
   • Comparison: Leading organizations have security debt in less than 17% of apps, while lagging organizations have security debt in over 67% of apps. 

5. Open-Source Critical Debt 
   • Definition and Importance: Open-source debt refers to the accumulation of security vulnerabilities in open-source components used in an organization’s software. Managing open-source debt is crucial for maintaining a secure software supply chain. 
   • Comparison: Leading organizations have less than 15% of critical debt from open-source libraries, while lagging organizations have 100% of their critical debt in open-source libraries. 

These metrics provide organizations benchmarks for program maturity and highlight the need for proactive and continuous security practices. Focusing on these areas enhances security posture and ensures compliance with emerging threats and regulations. 

Strategies for Improvement and the New View of Software Security Maturity for 2025 and Beyond 

The new view of software security maturity is a two-fold perspective that will have a significant impact on your backlog. To mature your software security program efforts in a way that aligns with business objectives, you need:  

Visibility and Integration Across Your SDLC to Prevent Net New Flaws Through Automation and Feedback Loops 

By integrating security into every phase of the software development lifecycle (SDLC), you can prevent the introduction of new flaws. Automation tools can help identify and fix vulnerabilities early in the development process, and continuous feedback loops ensure that issues are addressed as soon as possible. This proactive approach not only reduces the number of new flaws but also minimizes the overall risk to your organization. 

The Ability to Correlate and Contextualize Findings in a Single View So You Can Burn Down the Backlog Based on Context and Reduce the Most Risk with the Least Effort 

Effective security management requires a holistic view of your vulnerabilities. By correlating and contextualizing findings in a single, unified dashboard, you can prioritize your efforts more effectively. This allows you to focus on the most critical issues first, ensuring that you reduce the most risk with the least effort. This strategic approach not only helps in managing your backlog more efficiently but also ensures that your security efforts are aligned with your business objectives. 

By embracing these strategies, organizations can achieve a higher level of security maturity, stay ahead of emerging threats, and meet regulatory requirements. The new view of software security maturity in 2025 and beyond is one where visibility, integration, and context-driven decision-making are the cornerstones of a robust security program. To learn more, download the full report today.