Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On April 16, 2025, the cybersecurity community faced a potential crisis as U.S. government funding for the Common Vulnerabilities and Exposures (CVE) program, managed by MITRE and sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), was set to expire.

In 2025, AI is further transforming how software is built—accelerating code generation, testing, and deployment. But while it boosts speed and productivity, AI-driven development introduces new risks that developers and security teams can’t afford to ignore. To secure this next-gen development environment, organizations must understand the evolving threat landscape and adopt smarter, more integrated security strategies.

As software development accelerates, cyberattacks are also growing more sophisticated. The result? Traditional security methods are often rendered ineffective. With reactive strategies and stretched resources, application security (AppSec) teams are under increasing pressure to secure apps without sacrificing speed and innovation. Artificial intelligence (AI) has quickly become the frontrunner solution, automating labor-intensive tasks, improving accuracy, and enabling proactive security measures.

Hello from the Veracode Research blog! It’s been a minute since we’ve done a malware write-up, but we’re back and ready for action! And speaking of folks who are back and ready for action, the North Korean attackers behind the crypto wallet stealer campaign we wrote about in February of 2024 and again in May of 2024 are back at it with a new batch of malicious npm packages.

We are excited to announce the launch of Veracode Threat Research, a new initiative to counter software supply chain threats. Thanks to the acquisition of Phylum, Inc., we are now equipped with cutting-edge technology and a wealth of expertise to revolutionize how we secure the open-source ecosystem and protect your developers from novel attacks.

How much innovation could you reinvest in with 80% developer productivity recapture? My guess is: a lot. As a VP of Product at a security company, I’ve seen firsthand how making it easier for developers to manage security findings can help them focus on delivering value faster. Let me share with you about the developer security experience that can transform development workflows for increased productivity.

Security posture management has become exponentially more complex for organizations developing and managing a vast ecosystem of applications. Evolving architectures like microservices, hybrid cloud infrastructures, and frequent release cycles introduce constant change and challenges. Amid these growing challenges are the existing security gaps organizations are struggling to address.

Security teams are overwhelmed. Whether it’s alert overload, a growing backlog of vulnerabilities, or fragmented security data, there’s no finish line in sight. The State of Software Security 2025 report reveals that security debt is rising and flaws times are increasing. Meanwhile, the traditional tools many teams leverage fail to provide the context needed to track risks across the application lifecycle and, importantly, to prioritize them.

The State of Software Security (SoSS) 2025: A New View of Maturity, our 15th year publishing the report, highlights a critical shift in how organizations approach security maturity. This transition focuses on major risks and uses continuous feedback loops to identify and mitigate them. Key metrics such as flaw prevalence, fix capacity, fix speed, debt prevalence, and open-source debt are essential for benchmarking and improving security maturity.

Software supply chain security risks are mounting. As noted in Veracode’s State of Software Security (SoSS) report, organizations of all sizes are drowning in security debt, and a large portion of the critical debt can be attributed to third-party vulnerabilities.