Login / Sign Up
process management blog posts
Contributed on September 25, 2025
9

5 urgent signals your AppSec program can’t ignore in 2025

Blog: OpenText Blogs

Image of AppSec coding on a screen.

Your backlog is bloated, your scanners disagree, and every sprint feels like a hostage negotiation. Security incidents rarely trace back to a single tool failure—they trace back to indecision: what to fix first, where to place gates, and how to cut through the noise when everything feels “critical.”

In a world where code moves fast, application security (AppSec) has become an executive-level concern. Why? Because breaches, bots, APIs, and new regulations are colliding with software supply chains and AI. The result? Risk is rising fast—and the AppSec playbook is being rewritten.

The latest OpenText report, "State of Application Security: Trends, Challenges, and Upcoming Threats," reveals five key signals no security team can afford to ignore.

1) GenAI is expanding the attack surface—and the defense toolkit

Generative artificial intelligence (GenAI) isn’t just a development productivity tool—it’s a security wildcard. Apps are embedding large language models (LLMs) at scale, introducing risks like:

  • Prompt injection
  • Model misuse
  • Data leakage via AI APIs

At the same time, defenders are using AI to:

  • Speed up triage and remediation
  • Detect anomalies in runtime behavior
  • Reduce false positives through machine learning-based analysis

Why it matters:
Security policies must now address both AI as a vulnerability vector and AI as a detection tool. Treat AI models like any other critical dependency—with guardrails, logging, and kill switches.


Explore OpenText Application Security Aviator

2) Software supply chain visibility is non-negotiable

97% of modern apps include open-source components, and 91% use outdated ones. Vulnerabilities like Log4j proved just how fast a single component can ripple across thousands of systems.

New regulations such as the Cyber Resilience Act in the European Union and software bill of materials (SBOM) mandates in the United States make software supply chain transparency a requirement.

Must-haves for compliance and security:

  • SBOM automation for every build
  • Software composition analysis (SCA) across the software development lifecycle (SDLC)
  • Governance over license risk and package health

Learn how OpenText helps secure the software supply chain

3) APIs: Your most vulnerable and valuable real estate

APIs outnumber web pages—and attackers know it. 95% of orgs report API issues, yet only 7.5% have mature API testing in place. Common API threats:

  • Broken authorization (BOLA)
  • Excessive data exposure
  • Rate-limit gaps and schema drift

Your API security checklist:

  • Run definition-driven scans using OpenAPI and GraphQL schemas
  • Monitor runtime API behavior for anomalies
  • Enable authorization-aware testing using OAuth and OpenID Connect (OIDC)

See how OpenText prioritizes API security

4) Vulnerability overload meets tool sprawl

Point tools are piling up, but signals are getting lost. Multiple scanners produce duplicate findings, slow remediation, and wear down your developers.

More tools, more problems. Top teams are consolidating to simplify risk.

  • 43% of enterprises plan to reduce tool count in 2025
  • Unified platforms streamline scan orchestration and policy control
  • Risk-weighted priorities drive faster, smarter fixes

Explore OpenText’s application security posture management (ASPM) platform

5) SAST, DAST, and SCA still matter—just differently

The "core three" AppSec tools are evolving:

  • Static application security testing (SAST): integrated directly into integrated development environments (IDEs) and pull requests
  • Dynamic application security testing (DAST): optimized for real-world API and AI flows
  • Software composition analysis (SCA): essential for generating and governing SBOMs

Modern orchestration tips:

  • Trigger scans based on policy-defined risk bands
  • Automate remediation suggestions through developer platforms
  • Surface runtime context to prioritize actionable threats

What you’ll learn in the full report

  • How AI, APIs, and open-source are reshaping the attack surface
  • Why shifting from “coverage” to “consequence” changes the prioritization game
  • What metrics matter most for predicting and reducing incidents
  • What to expect through 2026—including regulation, consolidation, and continuous compliance

And don’t miss our webinar series

Securing the future: Insights and solutions for modern AppSec

Webinar 1: AppSec 2025—Navigating complexity, change, and risk October 7, 2025, 11:00 AM ET

Webinar 2: Modern AppSec in action—How OpenText tackles 2025’s security demands November 4, 2025, 11:00 AM ET

Register here. (Can’t attend live? Sign up to receive the on-demand replay.)

The post 5 urgent signals your AppSec program can’t ignore in 2025 appeared first on OpenText Blogs.