2024 State of Software Security Language Snapshot

This document is a snapshot from Veracode’s State of Software Security 2024, focusing on the issue of security debt in software applications, particularly across Java, JavaScript, and .NET languages. It aims to address the prevalence and risks associated with security debt, defined as flaws that remain unremediated for over a year. The analysis reveals that 71% of organizations have security debt, with .NET applications showing the highest prevalence at 75%, followed by Java at 64% and JavaScript at 54%. The snapshot also distinguishes between general security debt and critical security debt, noting that JavaScript has the lowest proportion of critical security debt at 30%. Furthermore, it discusses the origins of security debt, indicating that most comes from first-party code, while Java and JavaScript face challenges with critical security debt in third-party code. The document concludes with observations on remediation timelines for security flaws across these languages.