5 Predictions About Managing Software Risks in 2025

How does the exponential advancement of technology impact the security landscape? It makes managing the fundamental risk of the technology, the software, exponentially more complex. From AI accelerating risky code production to cloud infrastructure increasing the attack surface, the world of application risk management is enduring a rapid transformation that needs immediate attention.  

Here are my predictions for 2025 and how to ride this wave of transformation to security as an enabler of progress rather than a barrier. 

1. Exponentially Complex Risk Will Make Context Everything

Since becoming CEO in April, nearly every week I’m speaking with a customer about concerns regarding the increased attack surface from the expansion of cloud technologies. To measure and manage these risks, you need context. 

Context allows you to answer critical questions, like: 

• What are the risks?  

• What is the likelihood a given threat will occur?  

• What are the consequences if it does?  

Given the breadth of these questions – how is a hodge-podge of point solutions supposed to answer them? And without answers to these questions, how are you supposed to determine which actions will effectively remediate the riskiest issues?  

Security management and the board will need to speak the same language to interpret risk cohesively, so there’s no use for a bunch of disjointed data points that don’t answer the questions above. Put your energy into getting context through an optimized ASPM solution, so you can reduce the most risk with the least effort. 

2. “Garbage In, Garbage Out” Will Make Bigger AI Models Less Secure 

The usage of AI – nor the risk – is going away any time soon. When ChatGPT came bursting onto the scene at the end of 2022, a revolution in how software is built began. Despite AI's ability to automate complex coding tasks, which frees up developers to focus on more strategic roles, this shift has not been without its hurdles in the realm of security. 

One of the biggest concerns surrounding AI and its impact on security is the concept of "garbage in, garbage out." This refers to the idea that if the data used to train AI models is flawed or biased, the resulting decisions and actions made by the AI will also be flawed and potentially harmful. As AI models continue to grow in size and complexity, the risk of unintended consequences and vulnerabilities increases.  

Unfortunately, I predict that this year we’ll see that the bigger models are getting less secure with time. We’re in the fifth and final industrial revolution, and AI will be a driver of more software risk than anything most people are expecting.  

That’s specifically why we made Veracode Fix, our AI-driven flaw remediation tool, using a highly curated dataset from nearly two decades as a leader in securing software. Read more about why and how we built Veracode Fix here.  

3. Real-Time Reporting Will Become Vital for Risk Management KPIs 

The thing about the cloud and open-source software is that what’s secure today might not be secure tomorrow – new vulnerabilities and threats are constantly emerging. That’s why it’s crucial for organizations to have real-time reporting on the status of what they’re using in the open-source world. You must always have your finger on the pulse, as we learned with Log4j. However, this isn’t easily achieved. 

Earlier this year, there was a pause in reporting when the US National Institute of Standards and Technology (NIST) almost completely stopped analyzing new vulnerabilities (CVEs) listed in its National Vulnerability Database (NVD). Application security testing solutions relying solely on the NVD don’t have the whole picture. 

Thankfully, Veracode customers need not worry about any disruptions because they have access to Veracode’s constantly-updated, proprietary database. This means that the integrity of your program metrics is securely maintained. 

4. Compliance & Regulations Will Get Stricter & More Specific 

Starting January 17, 2025, the European Union’s Digital Operational Resilience Act goes into effect. It’s a regulation and not a directive, which means that come January 2025, it’s in effect without anything else needing to happen as far as being translated into laws. Software security best practices are fundamental for compliance with this regulation. To dive deeper into DORA compliance, read this eBook. 

Additionally, the new EU liability law says that software is now included in the definition of "defective products." This means that software manufacturers can be held responsible for harm caused by software vulnerabilities. If a software flaw causes damage, the manufacturer can be held liable. 

This level of enforcement is more than we’ve ever seen, and it bears a resemblance to the SEC’s ruling from last year which will “require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”   

In 2025, I predict we’ll continue to see compliance and regulations get stricter, as well as more specific, when it comes to managing risk at the application layer. We’ll also see more regulation around AI as the use of it continues to multiply. 

5. Security Responsibility Will Get Pushed Further into Developers’ Hands 

Developers will be required to become not just coders but also visionaries and orchestrators of technology, a role that includes ensuring the security integrity of their applications. Giving developers AI-assistance at their fingertips to immediately remediate vulnerabilities – before code even enters production – revolutionizes the developer’s role in securing what they create and how their days are filled. 

Before this sounds too daunting, remember scanning and testing will only become more vital, so automation needs to be happening either way. And if AI is helping fix vulnerabilities, the burden of remediation will be lifted from the developers' shoulders, allowing time for real creative problem solving. 

This is the secure by design world we’ve been after from the start. This way of developing software with security automated upfront can have profound impacts on revenue growth, reduction in risk of a breach, and more. 

Conclusion: The Future of Software Development is Secure by Design  

As we move closer to 2025, the predictions discussed highlight the need for businesses to remain vigilant and proactive in their security efforts. By embracing these advancements and preparing for upcoming challenges, organizations can ensure they stay ahead in the game of application security. Explore how our latest innovations underline the importance of building, buying, and deploying software that’s secure by design.

Learn more about why Veracode is your partner for eliminating hidden risks in AI, open source software, and more. And schedule a demo of Veracode today to see how we can help you stay ahead of the game in 2025.