Going from 32 to a 52 is still a failing grade, but it’s an improvement that at least one security evangelist believes deserves a proud place—if not on the refrigerator, at least in an application-security report.
Veracode, in its 2025 State of Software Security study, released on Feb. 27, found 52% of applications have passed a popular nonprofit’s “Top 10” checklist of common coding weaknesses—up from 32% five years ago.
Chris Wysopal, chief security evangelist and co-founder of Veracode, sees positive momentum and A-grade potential, however, thanks to better tools and increased prioritization of application security from leadership.
“It’s like your kid has been getting Fs forever, and now they’re sort of getting a C-minus,” Wysopal told IT Brew.
“This is showing that people are actually testing their applications, and they’re actually doing something with the results.”
What is OWASP? Founded in 2001, the nonprofit Open Worldwide Application Security Project (OWASP) has supported community-led standards to improve application security. One notable effort—the OWASP Top 10—collects contributors’ opinions regarding “the most critical security risks to web applications.”
Some consensus worst practices include a lack of encryption, or a lack of protections against “injection,” the querying of a database by crafting tricky inputs.
That database-manipulating tactic known as SQL injection has hung around in development life cycles for a long time, according to Wysopal, and software creators often don’t apply the quick fixes like parameterized coding to stop it.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“People aren’t developers for 30 or 40 years. Typically, they do it for maybe 10 or 15 years. So, there’s always a new flow coming in, and those developers need to learn. That’s why these problems seem to stick around,” Wysopal said.
Gov story. Recent regulations have created an awareness that Wysopal sees as boosting the OWASP pass number from F-minus to F-plus.
The Biden administration’s executive order in 2021 and the EU’s Cyber Resilience Act, approved in 2024, enacted secure-development and vulnerability-handling guidelines for software vendors and suppliers.
And now, the bad news. Developers are fixing their code, but slowly, according to Veracode’s recent study.
In the last five years, the average number of days to fix flaws has increased 47%—from 171 days in 2020 to 252 in 2025, Vercode found.
That increase, Wysopal believes, demonstrates a “fragmented remediation” due to siloed employee groups. A container team, for example, may be responsible for container vulnerabilities.
Verizon’s annual Data Breach Investigations Report found an 180% increase in vulnerability exploits as the critical path to initiate a breach. “As one might imagine, the main vector for those initial entry points was web applications,” the report read.
Open-source projects also often rely on dependency upgrades from another party, according to Wysopal.
“Things are running all over the place. It’s highly distributed,” Wysopal said.