Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Walking into Moscone South on Monday morning I felt the familiar RSA buzz—thousands of badges, coffee lines that never end, and animated hallway debates about whether AI will save or sink us. This year the conversations were richer than ever. I was thankful that “Secure by Design” is still gaining traction, and many sessions—whether it was about agentic AI, new software liability proposals, or the talent crisis—had the need for secure software a given.

Security teams are increasingly overwhelmed by the sheer volume of alerts generated by detection tools. While detection capabilities have improved over time, this has led to an unintended consequence: alert fatigue. The rapid proliferation of alerts—many of which lack critical context—makes it difficult for security teams to prioritize and address the most urgent vulnerabilities.

Zero-day vulnerabilities are the new normal in cybersecurity. In 2023 alone, more than 100 high-profile zero-day incidents were reported. Despite the early warning signs, major corporations and government agencies, from giants like Google and Cisco to the U.S. Government, continue to be blindsided by zero-day threats into 2025. In December 2024, for example, the U.S.

On April 16, 2025, the cybersecurity community faced a potential crisis as U.S. government funding for the Common Vulnerabilities and Exposures (CVE) program, managed by MITRE and sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), was set to expire.

In 2025, AI is further transforming how software is built—accelerating code generation, testing, and deployment. But while it boosts speed and productivity, AI-driven development introduces new risks that developers and security teams can’t afford to ignore. To secure this next-gen development environment, organizations must understand the evolving threat landscape and adopt smarter, more integrated security strategies.

As software development accelerates, cyberattacks are also growing more sophisticated. The result? Traditional security methods are often rendered ineffective. With reactive strategies and stretched resources, application security (AppSec) teams are under increasing pressure to secure apps without sacrificing speed and innovation. Artificial intelligence (AI) has quickly become the frontrunner solution, automating labor-intensive tasks, improving accuracy, and enabling proactive security measures.

Hello from the Veracode Research blog! It’s been a minute since we’ve done a malware write-up, but we’re back and ready for action! And speaking of folks who are back and ready for action, the North Korean attackers behind the crypto wallet stealer campaign we wrote about in February of 2024 and again in May of 2024 are back at it with a new batch of malicious npm packages.

We are excited to announce the launch of Veracode Threat Research, a new initiative to counter software supply chain threats. Thanks to the acquisition of Phylum, Inc., we are now equipped with cutting-edge technology and a wealth of expertise to revolutionize how we secure the open-source ecosystem and protect your developers from novel attacks.

How much innovation could you reinvest in with 80% developer productivity recapture? My guess is: a lot. As a VP of Product at a security company, I’ve seen firsthand how making it easier for developers to manage security findings can help them focus on delivering value faster. Let me share with you about the developer security experience that can transform development workflows for increased productivity.

Security posture management has become exponentially more complex for organizations developing and managing a vast ecosystem of applications. Evolving architectures like microservices, hybrid cloud infrastructures, and frequent release cycles introduce constant change and challenges. Amid these growing challenges are the existing security gaps organizations are struggling to address.