10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025

As we look ahead to 2025 - on the heels of an exciting and challenging year, the intersection of AI and software development will continue shaping the developer community in meaningful ways. 

Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year:
‍

Rewriting the AI Equation: Not AI Instead of Developer, but AI + Developer

“As companies are prompted to take drastic cost-cutting measures in 2025, it would be to no one’s surprise that developers are replaced with AI tooling. But as was the situation when Generative AI first made its debut and now with years of updates and more to come, it is still not a safe, autonomous productivity driver, especially when creating code. AI is a highly disruptive technology with many amazing applications and use cases, but is not a sufficient replacement for skilled human developers. I agree with Forrester’s prediction that this shift towards AI/human replacement in 2025 is likely to fail, and especially in the long term. I think the combination of AI+developer is more likely to achieve this than AI alone.”

‍

AI Delivers a Mixed Bag of Risks and Opportunities

“During 2025, we will see new risk cases emerge from AI-generated code, including the adverse effects of known issues like hallucination squatting, poisoned libraries and exploits affecting the software supply chain. Additionally, AI will be used to find flaws in code much more, as well as leveraged to write exploits for it, as Google’s Project Zero just demonstrated. In contrast, I think what we will additionally see are some initial levels of maturity reached with enterprise developers being able to leverage these tools in their work without adding too much extra risk, however, this would be the exception, not the rule, and it would be dependent on their organization actively measuring developer risk and adjusting their security program accordingly. In the rapidly evolving threat environment that 2025 is sure to bring, it will be the skilled, security-aware developers with approved AI coding tools who will be able to produce code faster, while developers with low security awareness and general skills will only introduce more problems, and at greater speeds.” 

‍

Breaking Out of the [AI] Shadows

“The legislative landscape around AI is rapidly changing in an attempt to keep up with the frequent advancements in the technology and its rate of adoption. In 2025, security leaders need to ensure they are prepared to comply with potential directives. A combination of the following - understanding the nature of “shadow AI” and then ensuring that it is not being used in the organization, followed by the strict use of only approved, verified tools installed on company systems - will prove to be most critical for organizations in the year ahead. This will lead to a greater assessment of the development cohort, to understand how they must be best supported to continuously grow their security prowess and apply it to all aspects of their work.”

‍

AI Tools’ Security Standing Will be Key Measurement for Developers

“Right now, it’s a free-for-all market in terms of LLM-powered coding tools. New additions are popping up all the time, each boasting better output, security, and productivity. As we head into 2025, we need a standard by which each AI tool can be benchmarked and assessed for its security standing. This includes coding capabilities, namely its ability to generate code with good, safe coding patterns that cannot be exploited by threat actors.” 

‍

AI Will Make it Harder for Junior Developers to Enter the Field

“Developers have more barriers to entry than ever before. With hybrid and distributed workforces and the level of skillset required for entry-level roles, the bar continues to rise higher each year for junior developers. In 2025, employers will start to expect junior developers to already have the skills and knowledge to integrate and optimize AI tools safely within their workflow when they begin the role - rather than dedicating time toward on-the-job training. Within the next year, developers who fail to learn how to leverage AI tools in their development workflow will face significant consequences to their own career growth - and will experience challenges in securing job opportunities. They risk hindering their ‘license to code,’ which prevents their participation in more complex projects, as safe AI proficiency will ultimately become key.”

‍

Time Will Prevent Organizations from Achieving Secure by Design

“Developers need sufficient time and resources to upskill and familiarize themselves with the right tools and practices to achieve "Secure by Design.” Unless organizations get the buy-in from security and engineering leaders, their progress will be hindered - or stalled entirely. When organizations attempt to cut costs or restrict resources, they often prioritize immediate remediation efforts over long-term solutions - focusing on multi-faceted remediation tools that do some things just “okay,” and everything else “mediocre.” In 2025, this imbalance will create greater disparity between organizations who prioritize secure software development, and those who just want a quick fix to keep pace with a changing landscape.”

‍

Supply Chain Security Audits will Play a Critical Role in Mitigating Global Risks

“All outsourcing/third-party vendors will start to see increased scrutiny. You can have the greatest security program internally, but for companies you outsource to, if they don’t practice Secure by Design, the entire security framework can become compromised. As a result, organizations are going to heavily audit their outsourcing efforts, placing pressure on business leaders to follow strict security and industry compliance guidelines. Ultimately, the success of security teams depends on a holistic, 360 view - including a unified approach across the organization and any external partners.”

‍

AI will be Influential in “Cutting Through the Noise”  

“Development teams struggle with false positive rates with code vulnerability scanners. How can they be sure the vulnerabilities they’re assigned are actually a security risk? In 2025, AI will be a crucial tool to help developers “cut through the noise” when it comes to code remediation - providing a deeper understanding of the code itself. By leveraging machine learning, AI can better prioritize real threats based on context, reducing the time spent improving the accuracy of security alerts. This will allow teams to focus on the vulnerabilities that truly pose a risk, enhancing overall efficiency and enabling faster, more secure development cycles.”

‍

Benchmarking Will be the Solution for Organizations to Meet Secure-by-Design Goals

“The absence of a security benchmark will prove to be detrimental to organizations in 2025  because they will have no clear baseline for measuring their progress in meeting Secure by Design standards. Without a benchmarking system in place to evaluate how teams adhere to secure coding practices, these organizations risk inadvertently introducing vulnerabilities that could lead to a major breach. And if a breach does occur, they most likely will not have time to implement a benchmarking system, but rather be forced to accelerate their SBD initiatives without first assessing the security maturity of their developer teams, ultimately exposing their organization to even greater risks.”

‍

Technical Debt At the Cost of AI-Generated Code

“It is no secret that the industry already has a massive issue with technical debt - and that’s with code that’s already been written. With the surge in developers’ blind reliance on inherently insecure, AI-generated code, in addition to limited executive oversight, it’s only going to get worse. It is very possible that this dynamic could lead us to see a 10X increase in reported CVEs this coming year.”

‍

For a successful 2025, organizations need to be willing to introduce AI responsibly and securely, alongside appropriate training and risk mitigation investments to their development teams. As next year marks the one-year anniversary of CISA’s Secure-by-Design pledge, the brands who will keep their competitive advantage are the ones who prioritize their secure development approach to best eliminate risk associated with AI, third-party security concerns and additional emerging threats.