DEVOPSdigest

As part of DEVOPSdigest's annual list of DevOps predictions, DevSecOps experts — from analysts and consultants to the top vendors — offer thoughtful, insightful, and often controversial predictions on how DevSecOps and related risks and tools will evolve in 2025. Part 4, the final installment of DevSecOps predictions, covers DevSecOps solutions.

SECURITY AS PERFORMANCE INDICATOR

Expectations for developers and the measures of their success will change. For example, security will soon be viewed as a more universal performance indicator (KPIs) that developers must be measured by. As developers grow into their new security-focused roles, they will be expected to work with AppSec teams on aligning with "security at speed" goals.
Pieter Danhieux
Co-Founder and CEO, Secure Code Warrior

REDUCED DEVSECOPS BUDGETS

Market pressures are forcing security teams to re-evaluate their DevSecOps security technologies resulting in either a reduction in spend and or an elimination of entire classes of security tooling all together. With a reduction in budget, it forces DevSecOps organizations to really evaluate whether they're getting measurable improvement from their vendors and the adoption of their products. Ultimately, I believe this to be positive for the DevSecOps industry — with a reduction in spending and resources, we must focus and prioritize our investments in areas that are delivering meaningful and measurable value to the business. This ultimately comes in the form of measurably reducing risk in a way that reduces, if not eliminates, friction with product engineering teams and their ability to deliver software and features, fast.
John Trest
Chief Learning Officer, VIPRE Security Group

FRAGMENTATION OF TOOLS

Fragmentation of tools will lead to a focus on correlation and prioritization: In 2025, we will continue to see an influx of new application security solution providers entering the market. The pendulum has swung back from enterprises looking for single vendor tool platforms, back to best-of-breed tools that deliver more accurate results. However, this leads to an increase in siloed data and security debt, or backlog, which teams will struggle to address. There has already been a clear shift away from viewing security as zero-sum game and towards a focus on business risk. Next year, the focus will further refined to correlate data from across these disconnected tools and focus on the vulnerabilities the top of the pyramid from a business impact perspective — and prioritize the reduction of technical debt in the areas that matter most.
Mark Lambert
Chief Product Officer, ArmorCode

SBOM

In 2025, Software Bills of Materials (SBOMs) will become a pivotal tool in securing the software supply chain. Government mandates will drive organizations to adopt SBOMs at scale, requiring them not only to generate these documents but also to make them actionable. While producing SBOMs in standard formats is now routine, the real challenge lies in translating raw data into meaningful, risk-based insights. To address this, DevSecOps practices will mature, leveraging tools like VEX (Vulnerability Exploitability Exchange) to add critical context to SBOMs, reducing inefficiencies in vendor-consumer communications. Simultaneously, procurement teams will revamp their processes to quickly interpret contextualized SBOMs, enabling informed decisions about software risks. As these capabilities evolve, SBOMs will transcend their role as compliance artifacts, becoming a vital mechanism for collaboration and a cornerstone of proactive supply chain security.
Dylan Thomas
Senior Director of Product Engineering, OpenText Cybersecurity

SBOMs will become the norm: There is increasing concern with the vulnerabilities in software "agents," package architectures, code sharing, SDKs and software stacks. This came to light dramatically during the CrowdStrike release that took down thousands of servers and systems and in the recently discovered ServiceNow vulnerability. As Software Bill of Materials (SBOMs) become an available piece of machine readable data, we will see an increase of automation for vulnerability assessments and reporting tools for compliance.
Justin Beals
CEO and Co-Founder, Strike Graph

END OF SBOM SHARING

While SBOMs are very useful to the people creating software, they are impossible for external recipients to make sense out of. For this reason, people are beginning to realize that SBOM sharing is actually ineffective. Therefore, in 2025, SBOM sharing will be past the peak of inflated expectations and instead be headed into a trough of disillusionment.
Larry Maccherone
Dev[Sec]Ops Transformation Architect, Contrast Security

SAST

After years of stagnation, 2025 will mark a turning point for SAST, shedding its outdated reputation as a mere compliance checkbox or issue dump. The focus will shift towards delivering real insights into application behavior, providing a true understanding of code flows and interdependencies. With these innovations, SAST will finally offer tangible value — empowering developers and security teams alike.
Yossi Pik
CTO and Co-Founder, Backslash Security

CONVERGENCE OF SCA AND SAST

In 2025, I believe that the boundaries between SAST and SCA will blur as modern AppSec solutions adopt a unified approach, viewing code and open-source dependencies as a cohesive whole rather than separate silos. The focus will shift to uncovering full attack paths, seamlessly connecting vulnerabilities in both custom code and third-party packages. This evolution will enable teams to assess upgrade impacts bidirectionally — from code to package and package to code — offering unprecedented clarity.
Yossi Pik
CTO and Co-Founder, Backslash Security

PLATFORM ENGINEERING VS APPSEC

Platform Engineering, which is a relatively new function, will become the primary decision maker and budget provider for Application Security Testing (AST) tooling decisions, supplanting AppSec leadership. This is because of platform engineering's powerful ability to standardize security defenses across the application layer and its "secure by design" approach, which may enable organizations to reduce entire groups of vulnerabilities.
Larry Maccherone
Dev[Sec]Ops Transformation Architect, Contrast Security

CENTRALIZED PLATFORMS

Centralized platforms will become essential for securing software supply chains: The complexity of modern software supply chains, coupled with the rise of AI-powered threats, will drive the adoption of centralized management platforms. Without a unified approach and real-time visibility, securing modern software supply chains becomes a losing battle. Centralized platforms bring critical functions like SBOM management, vulnerability analysis, and threat intelligence under one roof, enabling organizations to streamline security operations, improve collaboration between development and security teams, and mitigate risks before they impact the business. While not all businesses will adopt this approach immediately, the growing momentum toward centralization will undoubtedly shape the future of software supply chain security.
Glenn Weinstein
CEO, Cloudsmith

SECURITY TESTING SHIFTS TO PRODUCTION

In the last decade, almost all load and performance testing has shifted from pre-production to in-production. Over the next few years, a similar shift will happen for application and API security testing. The Application Vulnerability Monitoring (AVM) movement will mirror the Application Performance Monitoring (APM) movement.
Larry Maccherone
Dev[Sec]Ops Transformation Architect, Contrast Security

APPLICATION DETECTION AND RESPONSE

Application Detection and Response (ADR) will see rapid adoption as part of the XDR ecosystem. This is because traditional detection and response solutions leave a critical gap in the application layer, where applications and APIs are very frequently the target of data breach and zero-day vulnerability exploitations. Adopting ADR as a part of the XDR will become a necessary protection as application layer attacks only increase.
Jeff Williams
Co-Founder and CTO, Contrast Security

MOVING BEYOND VULNERABILITY SCANNING

Smart Enterprises Will Move Beyond Vulnerability Scanning: As enterprises embrace AI tools to help them code faster, threat actors have worked in lockstep to write faster malware, analyze code, and get better at wreaking havoc. In 2025, smarter enterprises will harden their apps against reverse engineering through advanced obfuscation, anti-tamper, and threat monitoring.
Dan Shugrue
Application Security Product Marketing, Digital.ai

MEMORY-SAFE LANGUAGE

There will be a very gradual rise in memory-safe language use in system software: Many software vulnerabilities can be eliminated by using programming languages that are memory-safe by default. However, it is impractical to rewrite all existing software in C and C++, which are not memory-safe by default. No one has the trillions of dollars necessary for those rewrites, and their alternatives have their own challenges. For example, Rust has only one production-ready compiler and does not support many CPUs. In 2025, I expect to see gradual rewrites of small C and C++ modules, along with more use of them. There will also be longer-term efforts in 2025 that may pan out later. Some are investigating using AI to economically translate C and C++ to a memory-safe language. There's also work to develop a memory-safe variant of C++. These longer-term efforts won't be ready for production use in 2025, but they might give us long-term alternatives.
David A. Wheeler
Director of Open Source Supply Chain Security, OpenSSF

QAOPS

QAOps integrates quality assurance into the DevSecOps pipeline, helping ensure QA is part of the software development lifecycle. This enhances collaboration between development, operations and QA teams so quality is maintained throughout the development process, leading to faster releases and more reliable software, which is the fundamental objective of DevOps methodology. However, DevOps did not identify QA teams as a team outside "Dev" team whereas QAOps is compartmentalizing the role of QA in DevOps. This specific focus will help DevSecOps adoption further in 2025 across real-time reporting, shift-left testing and collaboration and communication.
Prashanth Nanjundappa
VP, Product Development, Progress

SLSA

Supply chain Levels for Software Artifacts (SLSA) adoption will enhance supply chain security by providing cryptographic guarantees about build integrity and artifact provenance. Organizations will implement automated controls that ensure every step in the software supply chain is verified and tamper-proof, reducing the risk of supply chain attacks.
Tristan Stahnke
Principal Application Security Consultant, GuidePoint Security

CODE-TO-CLOUD SECURITY

Code-to-Cloud Security Set to Redefine Protection from Development to Deployment: The convergence of cloud security and application security will drive code-to-cloud approaches to become standard in cloud security solutions. As cloud environments grow more complex, identifying and fixing security issues at the code level before production becomes essential. This approach integrates security throughout the software lifecycle — from development through runtime. With DevSecOps, CI/CD integration, and automated threat response, code-to-cloud strategies streamline security practices, making it easier to trace vulnerabilities back to their source and resolve them quickly.
Gilad Elyashar
Chief Product Officer, Aqua Security

Trustless Cloud and Serverless Infrastructure

As cloud and serverless technologies advance, trustless architectures will redefine the DevOps landscape. Currently, organizations rely heavily on third-party providers to secure their data, creating inherent risks in privacy and compliance. Trustless systems, leveraging cryptographic innovations and decentralized technologies, will shift this paradigm by minimizing reliance on centralized entities. In this future state, data remains secure and private even in multi-tenant environments, without the need for implicit trust in intermediaries. For DevOps, this evolution will introduce new tools and workflows focused on zero-knowledge verification, encryption, and immutable logging, preserving scalability and flexibility while enhancing security. Trustless infrastructure will soon become a cornerstone of cloud and serverless strategies, signaling a new era of decentralized control, privacy, and operational agility.
TJ Dunham
Founder and CEO, ARC

Check back for more predictions next week, covering Open Source and Low Code/No Code.