If you had to guess what the biggest AppSec trend of 2025 was, it would probably be related to AI, and you’d be right. Much of what changed in application security was driven by AI becoming a mainstream part of software development. There was also more of a focus on supply chain risks and embedding security earlier in the development lifecycle. There’s no single trend that defines the year, but rather a combination of changes that had an impact.
1. AI Adoption Outpaced AI Security
Last year, AI coding was more of a forward-looking topic; however, in 2025, it moved into everyday use across development teams. Generative AI and agentic systems were used in products, internal tools, and CI/CD pipelines, pretty much everywhere you looked.
Many developers (and even non-technical users) turned to vibe coding, using natural-language prompts to generate functional code.
That shift brought new security questions to the surface, including data leakage, prompt manipulation, model misuse, and the behavior of autonomous agents as systems become more complex.
The security gap created by AI‑generated code stood out. In fact, a study showed that nearly half of the code generated by AI models contained security issues.
Code produced by generative AI and vibe coding often looks fine and passes basic checks, even when it introduces subtle vulnerabilities.
While AI sped up development, it also reinforced the importance of developers who can critically review, test, and validate what a model produces, rather than assuming it is secure simply because it looks correct.
2. Misconfiguration Stayed a Top Concern
Misconfiguration remained one of the most consistent causes of security incidents and was linked to over 9.5 million cyberattacks in the first half of 2025.
Cloud environments continued to grow more complex, and infrastructure-as-code templates and permission models weren’t always aligned with best practices.
There was a change in mindset, as industry frameworks and leading organizations began to understand the importance of misconfigurations and how they represent systemic risks rather than isolated errors or simple mistakes.
This brought a greater focus on the need to validate throughout the development lifecycle and on developers improving their security skills.
However, teams also worked with reusable templates, AI-assisted configuration, and shared cloud services. As a result, any small configuration errors could affect multiple components.
It shows the need for earlier visibility and a better understanding of who is responsible for reviewing and maintaining configurations.
3. Software Supply Chain Security Became Routine
In 2025, supply chain security became a higher priority, leading to stricter dependency checks, reproducible builds, artifact signing, and tracking.
Attention moved from whether this work was necessary to how it could become a routine part of the development process.
OWASP also added Software Supply Chain Failures to its Top Ten list of application security risks. It confirms what many teams already knew: that weaknesses in dependencies or third-party packages can have severe consequences.
4. Making “Shift Left” Work for Teams
“Shift left” has been discussed for years, but in 2025, more teams started to look into lightweight threat modeling options and ways for static analysis results to become visible sooner in the development cycle.
A big part of achieving this came from the rise of context-aware and reachability-based analysis. Basically, instead of treating every alert the same, these tools consider which vulnerabilities can be reached or exploited in the running system.
Security teams have been overwhelmed for a long time by alerts that didn’t present real risk, but context-driven tools helped shift the focus from the number of alerts to those that were actually relevant.
Even though these tools make it easier to focus on higher-risk vulnerabilities, developers still need to have oversight.
5. Frameworks Reflect New Security Challenges
As AI becomes part of products and everyday work processes, regulatory and security frameworks have had to continue refining their guidance. Teams also had to rethink how they track risk, record decisions, as well as meeting compliance requirements.
NIST and others provided more practical direction on secure-by-design principles, Software Bill of Materials (SBOM) requirements, and software supply chain checks.
For AI-related risks, OWASP released the updated Top 10 for LLM Applications. Many organizations had to reinforce their risk assessment practices and make sure documentation was in order, as the EU AI Act will be enforced next year.
6. Secure Coding Skills Became a Competitive Advantage
Improving developers’ security skills became a higher priority. Security tools are still important, but teams that can also code securely and stay up to date can catch risks earlier.
SecureFlag’s survey shows how seriously organizations are taking this.
-
All surveyed companies provide secure coding education, with 85% holding sessions at least quarterly.
-
Nearly 90% formally test developers’ skills through coding challenges, code reviews, or vulnerability-finding tasks.
-
92% of senior IT and C-suite leaders believe that training reduces the number of security bugs introduced during development.
These findings point to the necessity of applied, continuously reinforced skills that give teams a competitive edge.
From Insight to Practice with SecureFlag
2025 has shown us that AI will keep getting more complex, along with its risks. Misconfigurations will stay a challenge, and teams with strong, secure coding skills will be better positioned to address whatever comes next.
At SecureFlag, we spent this year helping organizations build those skills through hands-on labs, scenario-driven learning paths, and practical training across AI security, cloud security, secure coding fundamentals, and more. Whatever 2026 brings, we remain committed to supporting teams as they build safer, more resilient applications.
