The State Of Application Security, 2025: Yes, AI Just Made It Harder To Do This Right
Our annual report on the state of application security is one of our favorites. We love digging into the data to see how priorities and adoption have changed. This year, the explosion of AI in applications and in-application development exacerbated existing trends and introduced new concerns. Here are some areas that got our attention.
AI Models Add Another Dimension To An Already Complex Attack Surface
Applications were complex before, knotted up with third-party and open-source libraries, containers and container images, and APIs. AI has thrown more components into the application stew, with embedded AI models and calls to external large language models (LLMs). Thirty-three percent of business and technology professionals report that their organization is using generative AI (genAI) in production applications, according to Forrester’s 2024 data. But overlooked in the rush to market is an understanding of how LLM and genAI usage expands the application attack surface, particularly around APIs.
The Software Supply Chain Is A Global Concern
As attackers continue to target the software supply chain, government regulators are mandating more transparency. US federal agencies can request software bills of materials (SBOMs) from software manufacturers, and medical device submissions to the US Food and Drug Administration for approval require an SBOM. The EU’s Cyber Resilience Act, entered into force in December 2024, applies to digital products sold in the EU and requires manufacturers to generate an SBOM “to facilitate vulnerability analysis.” The Australian Signals Directorate’s Information security manual, updated in March 2025, recommends the use of an SBOM for traditional and mobile application development to provide greater transparency for consumers around security risks. No matter where you are, be ready to present an SBOM.
Developers Influence AppSec Tooling Decisions
A common myth is that application security technologies are solely selected and purchased by the security team. In fact, 62% of security decision-makers for application security report that the development team is the final purchase decision-maker for application security technologies, while 43% say that the development team is the final purchase decision-maker with budget ownership. Developer experience has become a priority for buyers — ahead of traditional security features such as exhaustive security scans and comprehensive reporting and analytics. If developers won’t use the tool, it doesn’t matter how many security flaws it finds.
For more on these trends and to see how attack and adoption rates have evolved, check out The State Of Application Security, 2025, and schedule an inquiry or guidance session with us to learn more.
