Get Out of Security Debt by Tackling the Exposure Problem
Dark ReadingArchived Jun 18, 2026✓ Full text saved
Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
CYBERATTACKS & DATA BREACHES
VULNERABILITIES & THREATS
COMMENTARY
Get Out of Security Debt by Tackling the Exposure Problem
Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?
Chris Wysopal,Founder and Chief Security Evangelist, Veracode
June 18, 2026
4 Min Read
SOURCE: YAOM VIA GETTY IMAGES
OPINION
Security teams already know they have too many vulnerabilities. What they often underestimate is how much of that risk remains exposed.
Right now, 82% of organizations carry security debt. These are vulnerabilities that have been open for more than a year. At the same time, flaws that are both severe and likely to be exploited are increasing.
That combination is what turns a backlog into real risk. Vulnerabilities are not just being discovered. They are persisting in production systems long enough to be found and used.
Most teams already know they can't fix everything. They've known that for years. What's changed is how quickly exposure turns into impact. Attackers move faster, exploit techniques are easier to access, and the window between discovery and exploitation continues to shrink.
If you are still managing security debt as a backlog problem, you are measuring activity, not risk.
Related:UK Social Media Ban for Minors Has Privacy Experts Worried
The question that matters now is simple. Which vulnerabilities are exposed, and how long do they stay that way?
Start with what matters
The first step is narrowing the scope.
Every organization has a small number of applications that carry most of the risk. These are systems tied to revenue, sensitive data, or external access — the "crown jewels" of an organization. These are also the systems attackers are most likely to target.
Instead of spreading effort across the entire backlog, start with these critical applications. Then go a level deeper. Identify the highly or very highly critical vulnerabilities that are likely or very likely to be exploited. In our research, we found that 11.3% of flaws exist in this high-risk region.
This approach does not reduce the backlog overnight. It reduces real risk.
Change how you prioritize
Severity scores still matter, but they are not enough on their own.
Attackers do not prioritize based on severity rankings. They look for what is accessible, easy to exploit, and connected to something valuable. A medium-severity vulnerability in a public-facing application can present more immediate risk than a high-severity issue in an internal system.
We are also seeing more vulnerabilities cluster in the high-risk category. These are flaws that combine high severity with high exploitability. They are the ones most likely to be used in real-world attacks, and they are increasing as a share of overall findings.
Effective prioritization needs to reflect that reality. Teams should be asking a few key questions. Is the vulnerability reachable in production? Is the application exposed or business-critical? Are there known exploits or active attack patterns? We have found that developers, left to themselves, will not prioritize this way.
Related:Most CISOs Report Pressure to Bury Bad Security News
You do not need to rebuild your entire prioritization model, but you do need to ensure the vulnerabilities most likely to be used against you are addressed first.
Treat remediation as a capacity problem
Fix capacity is one of the biggest constraints in application risk management today.
Most organizations are finding vulnerabilities faster than they can remediate them. That gap is what drives the steady growth of security debt.
If remediation is treated as something that happens when developers have extra time, it will always fall behind.
Teams that make progress treat remediation as a resourced function. They allocate dedicated engineering time to security work, define expectations for how quickly high-risk vulnerabilities need to be addressed, and track whether incoming findings are outpacing their ability to fix them. They integrate fixes into the SDLC as part of continuous remediation process.
In some cases, this requires trade-offs. Slowing feature delivery to reduce exposure is not an easy decision, but it is often necessary to bring risk back under control.
Related:US Cracks Down on Anthropic AI Models Amid Abuse Concerns
Get control of third-party risk
Sixty-six percent of security debt in third-party code is critical, making it one of the most persistent sources of long-lived exposure.
A significant share of critical security debt comes from dependencies, which tend to take longer to remediate. Our research found that the remediation half-life for third-party flaws in 358 days.
The reasons are familiar: transitive dependencies are complex; upgrades can break functionality; ownership is often unclear. The result is consistent — these issues stay open longer and expand your exposure window.
Reducing that risk requires discipline. Keep dependencies current, especially in high-risk applications. Maintain visibility into where vulnerable components are used. Prioritize fixes based on reachability and impact, not just version numbers or severity scores.
If you are not actively managing this layer, it will quietly dominate your risk.
Measure exposure, not just backlog
Most security programs still rely on metrics that do not reflect actual risk.
Counting vulnerabilities does not tell you whether you are safer. Tracking how many issues were closed in a given period does not answer that question either. These are activity metrics.
A more useful measure is exposure time. This is how long a critical, exploitable vulnerability exists before it is fixed or mitigated.
This is the window attackers operate in. The longer it stays open, the higher the chance it is exploited.
If you measure and manage that window, you get a much clearer view of whether your program is reducing risk.
Focus on reducing the window
Security debt is not going away. There have always been more vulnerabilities than teams can fix, and that will continue. What can change is how long the most dangerous ones remain exposed. That is the shift security leaders need to make. Do not focus on eliminating the backlog. Focus on shrinking the window in which critical vulnerabilities are available to attackers. Breaches happen because the wrong vulnerability was exposed for too long.
Read more about:
Opinion
About the Author
Chris Wysopal
Founder and Chief Security Evangelist, Veracode
Chris Wysopal is the Chief Security Evangelist at Veracode, responsible for enhancing the company’s industry presence, advocating robust security practices, and fostering customer and peer relationships. Prior to co-founding Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT