28 application security stats that matter

With AI coding and open-source ecosystem risks redefining the application security (AppSec) landscape, teams charged with AppSec are facing increasing challenges.

The data points compiled below highlight a software supply chain that is under sustained and escalating attack, open-source ecosystems that are increasingly weaponized by adversaries, and security debt that is accumulating faster than organizations can address it. 

The rapid and broad adoption of AI and agentic coding is adding to the problem by introducing new threats that existing tools are poorly equipped to handle.

Here are the 28 statistics that matter most to AppSec teams.

[ See webinar: Stop Trusting Packages — Start Verifying Them ]

Supply chain attacks and third-party breaches

Compromises tied to software suppliers, dependencies, and ecosystems

70%: Share of respondents who experienced a material third-party breach last year

In a survey of cybersecurity leaders, a remarkable 5% said they had experienced 10 or more supply chain-related cybersecurity incidents.

Source: 2025 Supply Chain Security Threats, SecurityScorecard

28: Average number of organizations per month that experienced supply chain attacks

The number found from the period between April 2025 and October 2025 was more than double the 13 attacks per month recorded between early 2024 and March 2025.

Source:  Cyble

1,000: Total number of npm packages the Shai-hulud attack affected

With two separate attacks in 2025, this first known instance of a registry-native worm exposed developer secrets across an estimated 25,000 repositories.

Source: 2026 Software Supply Chain Security Report, ReversingLabs

Open-source software and dependency risk

Exposures created by vulnerable, outdated, or poorly maintained components

51%: Percentage of teams that said third-party vulnerabilities were No. 1 risk

Concerns over software vulnerabilities ranked only below worries about data breaches and malware/ransomware attacks. Some 35% in this survey were concerned about their lack of visibility over their software vendors’ cybersecurity practices.

Source: 2025 Supply Chain Risk Survey, ISC2

35%: Proportion of respondents concerned about a lack of software visibility

Many organizations are relying on software suppliers without proper risk assessment and supplier evaluations, a recent survey found.

Source: 2025 Supply Chain Risk Survey, ISC2

87%: Share of audited codebases that contained at least one vulnerability

More than three-quarters (78%) of the codebases contained high-risk vulnerabilities, including critical flaws that enabled remote code execution and significant data compromises.

Source: 2026 Open Source Security and Risk Analysis, Black Duck

581: Average number of vulnerabilities in enterprise codebases

Increasing code complexity, component selection, and development speed drove a sharp increase in this number.

Source: 2026 Open Source Security and Risk Analysis, Black Duck

93%: Percentage of codebases with no development for the past two years

A startling 92% contained components that were at least four years out of date, making them vulnerable to compromise. A mere 7% contained the latest component versions.

Source: 2026 Open Source Security and Risk Analysis, Black Duck

87%: Share of teams with at least one vulnerability affecting 40% of their software

High vulnerability percentages were most prevalent in environments running Java, .NET, or Rust applications and services.

Source:  State of DevSecOps, Datadog

Malicious packages and repository threats

Attacks targeting open-source package ecosystems

66%: Percentage of supply chain attacks involving malicious-by-design packages

In the remaining 34% of attacks, adversaries modified legitimate packages on public repositories to attack users.

Source: 2026 Open Source Security and Risk Analysis, Black Duck

73%: Year-over-year increase in malicious open-source packages

The biggest increase across public repos was on npm, where the number of malicious packages more than doubled, from 5,290 in 2024 to 10,819 last year. That number represented almost 90% of all open-source malware in 2025.

Source: 2026 Software Supply Chain Security Report, ReversingLabs

891: Number of Python malware samples detected on Python Package Index (PyPI) last year

That represented a 43% drop from the 1,575 samples detected on the repository in 2024. Malware detections on the NuGet .NET package repository dropped even more sharply, from 35 in 2024 to just 14 in 2025.

Source: 2026 Software Supply Chain Security Report, ReversingLabs

Vulnerability remediation and security debt

Backlogs of unresolved vulnerabilities and patching delays

82%: Share of organizations with security debt tied to unpatched vulnerabilities

Year over year, the percentage of companies that fell seriously behind on vulnerability increased by 11%.

Source: 2026 State of Software Security, Veracode

48.5%: Percentage of enterprise applications with unresolved vulnerabilities more than a year old

That was up 17% from the 42% of apps saddled with security debt in 2024.

Source: 2026 State of Software Security, Veracode

358: Average number of days organizations took to half of vulnerabilities

The complexities associated with remediating vulnerabilities in third-party code or components, combined with the nature of flaws in direct and transitive dependencies, continued to drive up the time organizations required to address them.

Source: 2026 State of Software Security, Veracode

Secure development and DevSecOps practices

How development workflows influence application security risk

51%: Percentage of organizations that have implemented DevSecOps to manage risk

Many organizations continue to lag with DevSecOps because of friction between development and security teams.

Source: The Future of Application Security in the Era of AI, Checkmarx

50%: Share of teams that deployed third-party software within a day of release

Twelve percent used public Amazon Machine Images and 32% used public Docker images within a day of release before vetting them, heightening the risk of installing malicious software.

Source:  State of DevSecOps, Datadog

81%: Percentage of teams who said their developers knowingly ship vulnerable code

Instead of shifting security left, many development organizations, under pressure to deliver, have adopted patch-later models, despite the higher risk.

Source: The Future of Application Security in the Era of AI, Checkmarx

11%: The rise in exposed developer secrets, hard-coded credentials, API keys and encryption keys

Most of the leaks occurred on the open-source, public repositories npm and PyPI, which  accounted for 95% of all leaked secrets last year. 

Source: 2026 Software Supply Chain Security Report, ReversingLabs

AI-driven development and emerging AppSec risks

New risks introduced by AI coding tools and AI software components

34%: Percentage of respondents who said over 60% of their code is AI-generated

In a survey of over 1,500 application security stakeholders, this study found that AI is writing the code at a fast-growing number of companies. And development teams are deploying the code with little regard to potential vulnerabilities in it.

Source: The Future of Application Security in the Era of AI, Checkmarx

27.76%: Percentage of dependency upgrade recommendations made by LLMs that referenced non-existent versions

That means LLMs recommended more than 10,000 hallucinated packages.

Source: 2026 State of the Software Supply Chain Report, Sonatype

82.4%: Proportion of agentic AI tools that originate from third-party components

While 43% of models originated from an open-source environment, the dataset’s lineage was often missing or incomplete.

Source: 2026 State of Agentic AI Adoption, Snyk

49%: Percentage of teams that include unvetted ML models in their software

The trend with open-source models is quickly opening up a new attack surface that traditional application security tools cannot address.

2026 Open Source Security and Risk Analysis, Black Duck

Exploitation trends and vulnerability management

How vulnerabilities are exploited and how security tools struggle to manage risk

41.8%: Share of attack activity last year that involved vulnerability exploits

Attacks targeting software flaws surged in 2025 — and emerged as the leading tactic that adversaries used in intrusion activity.

Source: Radware Threat Report 2026, Radware

91.8%: Growth in automated application layer attacks (“bad bots”)

Attackers increasingly used automated programs for data theft, denial-of-service attacks, account takeovers, and other malicious activities last year.

Source: Radware Threat Report 2026, Radware

91%: Frequency with which findings flagged by SAST tools were false positives

The story was even worse when looking only at command injection issues in Python/Flask projects, with nearly 99.5% of flagged issues being false positives. 

Source: Exorcising the SAST Demons, Ghost Security

65%:  Proportion of new vulnerabilities that had no NVD-assigned severity scores in 2025

Severity tools use these scores to quantify the potential impact and exploitability of a CVE so security teams can prioritize remediation. Without scores, the tools are useless.

Source: 2026 State of the Software Supply Chain Report, Sonatype

18%: Percentage of vulnerabilities that remain critical after doing analysis

Dropoffs were most dramatic for .NET dependency vulnerabilities (98% get downgraded in severity after exploitability context is added). At the other extreme, 49% of PHP dependency vulnerabilities remain critical.

Source:  State of DevSecOps, Datadog