Application security trends: Shift-left security, AI, and open source malware
6 minute read time
Software is at the heart of business operations across most industries, which means application security has never been more critical. However, as organizations embrace cloud-native architectures, microservices, and open source components, the attack surface continues to expand. The result: an ever-growing number of vulnerable and malicious dependencies that adversaries are eager to exploit.
In 2025, security teams will contend with an evolving threat landscape driven by increasingly sophisticated cyberattacks, AI-powered exploits, and software supply chain compromises. This article explores the key trends shaping application security, from the growing role of AI in threat detection to the increasing adoption of software bills of materials (SBOMs).
The state of application security
Developers and security professionals face application security challenges of unprecedented complexity in 2025. According to Sonatype's 2024 State of the Software Supply Chain report, open source downloads reached 6.6 trillion last year, with up to 90% of modern applications now built on open source components.
Open source software provides the foundation for innovative applications, but the growth in open source dependencies comes with a cost. The number of malicious open source packages skyrocketed by 156% year-over-year, with over 512,847 malicious packages discovered in the year to November 2024. That number will grow significantly in 2025.
Attackers increasingly target software supply chains through dependency confusion, typosquatting, and open source repository takeovers. The 2024 Open Source Malware Report found that 50% of unprotected repositories already contain cached open source malware, and shadow downloads that bypass security controls have increased by 32.8% over the past year.
Beyond targeted attacks, the persistence of outdated dependencies remains a critical issue: 80% of application dependencies have remained unpatched for over a year despite safer versions being available. Meanwhile, three years after the infamous Log4Shell exploit, 13% of Log4j downloads are still vulnerable.
Accelerating DevSecOps: Cultural and tooling shifts
Security is no longer a final checkpoint in software development. It is an essential component of the development lifecycle. In 2025, the DevSecOps adoption trend will continue to accelerate as organizations recognize the need for integrated, automated, and proactive security practices.
Traditional security models, which rely on late-stage vulnerability scanning and manual intervention, will continue to be replaced by continuous security integration within development workflows. The cultural shift toward DevSecOps will reshape how teams approach security. Developers, security engineers, and operations teams are breaking down silos, adopting "security as code" practices, and embedding security policies directly into CI/CD pipelines.
At the same time, tooling advancements are making DevSecOps more effective. Automated security testing, real-time threat intelligence, and AI-driven vulnerability detection help teams identify and remediate risks without slowing development. Integrated software composition analysis (SCA) and policy enforcement tools proactively block unsafe dependencies and reduce the risk of supply chain attacks.
As organizations scale their DevSecOps initiatives, success depends on a holistic approach — aligning culture, processes, and automation to make security an inherent part of modern software development.
AI and machine learning: Pillars of application security strategy
AI and machine learning (ML) have become indispensable to modern application security, transforming how organizations detect, prevent, and respond to threats. AI-driven threat detection enables real-time analysis of massive data sets to identify anomalies and previously unknown attack patterns that traditional rule-based security tools might miss.
Beyond detection, AI and ML streamline security operations by automating repetitive tasks like dependency mapping, vulnerability triage, and remediation recommendations. Security teams can focus on high-priority threats, while AI-driven tools classify risks based on real-world exploitability to reduce alert fatigue and improve response times.
Open source software remains a key risk factor
Open source software accelerates innovation, but its widespread use also introduces security risks. Maintaining OSS security requires real-time visibility and proactive update management. Many vulnerabilities persist because organizations fail to monitor and update dependencies: 80% of outdated components remain in use despite available fixes.
To mitigate these risks, automated SCA and policy-driven enforcement help organizations detect, block, and remediate vulnerabilities before they reach production.
Application security as a continuous, collaborative process
Developers play a central role in modern application security. As security shifts left, teams must move beyond after-the-fact audits and integrate security into daily development workflows. When developers are empowered with automated security tools, transparent policies, and actionable insights, they can address vulnerabilities at the point of code creation, reducing delays and security debt.
Collaboration between security and development teams is essential. Traditional security models often place security as an external gatekeeper. Instead, a collaborative security culture ensures that developers, DevOps, and security teams work together, using real-time feedback loops, in-line security checks, and security guardrails within CI/CD pipelines.
By making security developer-friendly, organizations remove friction and increase adoption. Security training, simplified risk assessments, and automated dependency management allow developers to write secure code without disrupting their workflow. In 2025, security isn't just an IT responsibility — it's a shared discipline across the entire development lifecycle.
The growing role of software bills of materials (SBOMs) in software supply chain security
As software supply chain attacks become more sophisticated, transparency is no longer optional. An SBOM provides a detailed inventory of an application's components so organizations can track dependencies, identify vulnerabilities, and enforce compliance requirements.
SBOMs are transforming supply chain security by enabling proactive risk management. Instead of scrambling to assess exposure when a zero-day vulnerability emerges, teams with an up-to-date SBOM can instantly pinpoint affected components and deploy patches faster.
Overcome security challenges with Sonatype
As application security challenges evolve in 2025, organizations must embrace automation, transparency, and collaboration to stay ahead of threats. Sonatype's end-to-end SDLC security solutions provide the automation and intelligence needed to navigate this landscape.
-
Sonatype Lifecycle automates SCA to identify and remediate open source vulnerabilities early in the development lifecycle.
-
Sonatype Repository Firewall blocks intentionally malicious components before they are downloaded, preventing risky components from entering software supply chains.
-
Sonatype Nexus Repository provides a centralized repository for managing open source, internal, and third-party components.
-
Sonatype SBOM Manager generates and maintains accurate SBOMs to track dependencies and enforce compliance.
Book a demo to see how Sonatype will help your company to take control of software security.
Aaron is a technical writer on Sonatype's Marketing team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they ...
Explore All Posts by Aaron Linskens
