DEVOPSdigest

As part of DEVOPSdigest's annual list of DevOps predictions, DevSecOps experts — from analysts and consultants to the top vendors — offer thoughtful, insightful, and often controversial predictions on how DevSecOps and related risks and tools will evolve in 2025. Part 2 covers application security risks.

THREAT ENVIRONMENT EXPANDS AND EVOLVES IN 2025

Expect the threat environment across all technology areas and sectors (particularly critical infrastructure) to continue to evolve and expand heading into 2025, as adversaries adapt to the changing geopolitical landscape and the new US administration.
Erik Johnson
Senior Research Analyst, Cloud Security Alliance

SOFTWARE SUPPLY CHAIN ATTACKS

Supply Chain Attacks Take Center Stage: Supply chain attacks will dominate 2025's threat landscape, taking precedence over purely geopolitical attacks. Vulnerabilities like those seen in Log4j will resurface, emphasizing the interconnectedness and fragility of global systems and highlighting the need for comprehensive, real-time defense strategies. Given Verizon's 2024 DBIR findings that 15% of breaches involved a third party or supplier — in conjunction with the growth of software supply chain reliance — we expect these breaches to surpass 25% of all breaches in 2025.
Crystal Morin
Cybersecurity Strategist, Sysdig

Supply Chain Attacks Will Scale and Accelerate: In the coming year, attackers will increasingly turn to software supply chain attacks as a highly scalable method for compromising multiple organizations simultaneously. Rather than targeting individual companies, attackers will go after shared software components, allowing them to capture sensitive data across dozens, even thousands, of businesses in one go. This approach offers high impact and efficiency for attackers, leaving many organizations unprepared to respond. As we see this tactic grow, companies must prioritize securing their software supply chains, understanding that this broad approach by attackers will present heightened and persistent threats.
Randall Degges
Head of Developer & Security Relations, Snyk

In 2025, I believe supply chain attacks will likely continue to increase, focusing on vulnerabilities not only in open source dependencies and SaaS platforms, but I also believe there will be a growing trend of attackers targeting CI/CD pipelines to compromise the software delivery process of organizations with valuable downstream customers. I also believe we'll see an increase of attacks similar to the XZ backdoor with sophisticated attackers going after popular but under-supported open source projects in order to compromise those projects.
Joe Nicastro
Field CTO, Legit Security

THIRD-PARTY SOFTWARE RISK

In 2025, the security risks posed by external partners will contribute to an increase in software supply chain attacks. Organizations today heavily rely on third parties to conduct day-to-day activities, especially for business-critical applications. The modern software ecosystem contains code, libraries, plugins, and other components from third parties to develop and run software. On average, most companies work with 11 third parties. Of those 11 third parties, 98% have experienced a breach. Lineaje research found that an average of 250 components with unknown origins lurk within every application, creating significant points of exposure for the software supply chain — sometimes even years later. To change the narrative in 2025 and beyond, organizations must have an effective third-party risk management plan. Doing so will enable organizations to promptly identify and reduce any risks resulting from vendor partnerships. Specifically, businesses need to be able to proactively detect and address risks in the software supply chain and use solutions that provide frequent security audits, assessments, and ongoing third-party software monitoring.
Nick Mistry
SVP, CISO, Lineaje

In 2025, third-party software security will continue and likely increase as a source of risk for even the most advanced enterprise, IT, DevOps, and security teams. The recent news of the MOVEit vulnerability exploitation impacting Amazon reinforces this. Additionally, we are seeing countries like North Korea leveraging third-party software components to execute supply chain attacks, as they did by injecting malware into Flutter-based MacOS apps. The combination of increased software vulnerabilities and software supply chain targeting creates a ticking time bomb for teams while exacerbating gaps in software inventory and an understanding of software dependencies. Moving forward, regardless of their size or technical prowess, organizations will face unprecedented challenges in managing these risks. Without proactive and comprehensive risk management over their third-party software, organizations are likely to be overwhelmed reacting to an overwhelming amount of vulnerabilities and new attack vectors.
Joe Silva
CEO, Spektion

OPEN SOURCE RISK

Expanding Threat of OSS Supply Chain Attacks: Open source software (OSS) supply chain attacks will continue to expand. Reports show that supply chain attacks have risen significantly over the last several years. Open source developers and consumers will need to be more diligent in vetting the OSS components they use. The OpenSSF provides resources like the SIREN mailing list to warn of emerging exploits, OSV to track malicious packages alongside vulnerability data, and tools like Scorecard and GUAC to enhance visibility into dependencies.
Christopher Robinson
Chief Security Architect, OpenSSF

The Exploitation of Open-source Vulnerabilities Will Increase as Attackers Target Widely Used but Poorly Maintained Components: In 2025, attackers will target and exploit open-source vulnerabilities more than ever before. This is concerning as it highlights a key weakness in modern software ecosystems. Open-source components are widely used because of their accessibility and cost-effectiveness, but this also makes them prime targets for bad actors. Meanwhile, companies struggle to keep up with the necessary pace of patching and remediation. In turn, this creates a growing security gap where vulnerabilities persist longer than they should, adding to security debt and putting organizations at risk. To mitigate this, businesses must not only invest in proactive security measures but also collaborate more closely with open-source communities to identify and resolve issues faster. If this trend continues, the challenge of securing open-source software will only intensify, requiring a more robust approach to vulnerability management.
Sohail Iqbal
Chief Information Security Officer, Veracode

SECURITY POSTURE MANAGEMENT SILOS BREAK DOWN

The silos between security posture management sectors will breakdown and converge in 2025. Organizations will be concerned with their overall business risk and security posture and not a subset and/or initial vulnerability source. Application Security Posture Management (ASPM) will increasingly merge with Cloud Security Posture Management (CSPM), SaaS Security Posture Management (SSPM) and Risk-Based Vulnerability Management (RBVM), creating a more unified approach to security. This push for integrated solutions will help security teams manage business risks more effectively and stay ahead of evolving threats no matter where they come from or what domain is at risk.
Karthik Swarnam
Chief Security and Trust Officer, ArmorCode

API SECURITY RISK

Digital Transformation Fuels API Adoption — Stay Ahead of Data Leakage & API Abuse: As organizations adopt modern application development as a means of digital transformation, the volume of application programming interfaces (APIs) will continue to multiply. Last year, API traffic constituted over 71% of web traffic, according to the State of API Security in 2024 Report from Imperva Threat Research. In 2025, API traffic will undoubtedly increase, becoming a greater threat to an organization's sensitive data, and thus, pushing for a greater need for API observability.

Determined threat actors will look to target APIs as the pathway to access the underlying infrastructure and database. Organizations will only have a chance to stay agile by providing continuous visibility, categorization, and monitoring of data that flows through APIs. Protecting APIs will become a direct extension of a business's strategy to mitigate the risk of data breaches and data leakage. By uncovering hidden APIs, software developers and security administrators can gain more accurate insight into how to address potential security issues. Plus, as 2025 will likely bring more national cybersecurity guidelines, enabling API governance will ensure that business leaders in highly regulated industries have a sustainable model that stops potential data breaches.
Lebin Cheng
VP, API Security, Imperva, a Thales company, a Thales company

API Boom Will Yield Transition to DevSecOps Teams: As we head into 2025, we'll be four years into application programming interfaces (APIs) taking over the world. As it stands, the Economic Impact of API and Bot Attacks study from the Imperva Threat Research Team found that the average enterprise managed 613 API endpoints last year. APIs enable seamless integration and user experience, but consequently, attract hacker interest as these endpoints provide direct access to sensitive data. On average, API-related security issues cost organizations $25-87 billion annually. This massive loss begs the question: are IT security teams and DevOps teams ready to work together to balance the speed of business development with security?

As more organizations continue to adopt APIs in 2025, these increasing risks will force their hand in strengthening security posture at the point of development so that they can provide widespread protection of their software. Though it's not easy, we will continue to see the transition to DevSecOps teams to ensure that security is effectively built into product development from the start. With these transitions, organizations will adopt automated solutions such as runtime application self-protection to increase security without adding overhead to development processes.
Moshe Lipsker
VP of Global Product Development, Imperva, a Thales company

CONVERGENCE OF DEVOPS AND API SECURITY

In 2025, we expect a notable convergence between DevOps and API security. This shift will be driven by the growing need to balance rapid development cycles with solid protection measures. We predict an increase in the adoption of API posture governance solutions that will integrate seamlessly into DevSecOps pipelines. These solutions will enable continuous security assessments and enforcement throughout the entire API lifecycle. As a result, developers will be empowered to proactively identify and address vulnerabilities and misconfigurations. This approach will shift security further left in the development process, ultimately creating a more secure foundation for API-driven innovation.
Eric Schwake
Director of Cybersecurity Strategy, Salt Security

EXPIRED AND SELF-SIGNED CERTIFICATES

Heightened Security Risks from Expired and Self-Signed Certificates: With DevOps pushing for more speed and agility, the persistence of expired and self-signed certificates in applications, workloads and cloud services will continue to be a top vulnerability. Organizations will be under pressure to eliminate self-signed certificates in favor of those issued by trusted and approved Certificate Authorities (CAs). Additionally, there will be a strong push for real-time monitoring and alerting mechanisms to mitigate risks associated with rogue CAs, mis-configurations and certificate expirations.
Christian Simko
VP of Product Marketing, AppViewX

Go to: 2025 DevSecOps Predictions - Part 3