2025年软件安全状况：成熟度新视角

Contents Comparing Software SecurityProgram Performance Opening Letter Flaw PrevalenceFix CapacityFix SpeedDebt PrevalenceOpen-Source Debt 04 Executive SummaryKey Findings Conclusions & Recommendations 15 Years of Special SoSS Methodology State of Software Securityin 2025Finding FlawsFixing FlawsFighting Debt Openingletter Our research drives our own software security measures, and this year, in our 15th volume ofthis report, we seek to discover trends about where the most risk resides and what metricscan be used to gauge progress against it. Plus, we want to compare program performance ofleading and lagging organizations using these metrics. The gaps between the top 25% andbottom 25% are fascinating. Ultimately, realizing progress and maturity in software security requires a risk-basedperspective. It takes focusing on the downside risks that matter in your context and the actionsthat create continuous feedback loops to see and remediate risk in an ongoing fashion. This is easier said than done, so we hope you find the insights and guidance in this reportas helpful as we have for improving security posture by adaptively securing mission-criticalsoftware in the artificial intelligence (AI) era. Sincerely, Chris WysopalChief SecurityEvangelist Sohail IqbalChief InformationSecurity Officer Niels TanisSenior PrincipalSecurity Researcher ExecutiveSummary We also can’t ignore the trends in the regulatoryspace that are happening in the U.S. and the E.U.In the EU, theCyber Resilience Actwent intoeffect December 2024 and focuses especiallyon enhancing the security of software. In theU.S. 2020 Biden Cybersecurity Executive Orderemphasized cybersecurity prevention withZero Trust network architectures and Secureby Design software. Secure by Design includedstatic code analysis, dynamic code analysis,and supply chain security with SBOMs. In 2025, organizations face increasingthreats to their software. The exploitation ofvulnerabilities as the critical path to initiatea breach “almost tripled (180% increase)in the last year,” according to the Verizon2024 Data Breach Investigations Report. Meanwhile, security debt is rising, and theattack surface is getting increasingly complex.Plus, the rise of AI in software engineering,especially with code generators, is transformingthe risk landscape. While many teams maynot openly admit to using AI, other indicatorsof its presence and impact can be found. The U.S. Federal Government even requiredvendors to attest to the way they developedsoftware as part of the acquisition process.Understanding your software risk posture isnow a requirement. 2024 also gave us a newU.S. Securities and Exchange Commission(SEC) rulingwhich forces a more disciplinedapproach to cybersecurity risk management. We believe these regulatory factorshave contributed to some of the positivetrends we see in the data, such as theOWASP Top 10 pass rate improving from32% to 52% in the last five years. However, our findings reveal that relyingon traditional patching alone isn’t enough.Security teams must take a more strategic,context-driven approach to managing the mosturgent and exploitable risks. This requiresseeing all risks in one place and focusingon what matters most to an organization. By prioritizing the most impactful riskremediation actions and creating continuousfeedback loops for ongoing improvement,organizations can more effectivelymanage security risks over time. Key findings Now the bad news...the percentageof apps withhighseverity flawshasincreased by 181%... Good news first, the percentageof appspassing the OWASPTop 10 hasincreased 63%in5 years (from 32% to 52%) ...and the averagenumber of daysto fix flawshasincreased47%. Half of organizationshavecritical security debt(highseverity, high exploitability)... ...and70%of it comes fromthird party codeand thesoftware supply chain. The following table is a comparison of the top 25% and bottom 25% oforganizations against 5 key metrics we’ve observed indicate the maturityof an organization at finding and fixing flaws in a way that systematicallydrives down risk. 15 Yearsof Special SoSS As a pioneer of the AppSec space, we haveyears of data to our advantage. This 2025edition of the State of Software Security (SoSS)report is our 15th volume. That makes it a bit more special than the norm and creates anopportunity to highlight a few long-term trendsbefore we dive into the latest facts and figures. State ofSoftware Securityin 2025 At this point, everyone even remotely associated with software securityis familiar with phrases like “We need to shift left” and “Secure yoursupply chain.” Those are worthy aspirations to be sure, but what, exactly,do they entail, and where are we along the road to getting there? In a nutshell, shifting left and securing software supply chains involves finding and fixingsecurity flaws before they get rolled into production applications that place organizationsat risk. That process of finding and fixi