800 posts, my analysis

 After taking a look at these posts

https://appsecadventures.blogspot.com/2025/11/800-posts-where-am-i-and-what-are.html

https://appsecadventures.blogspot.com/2025/11/800-posts-least-common-subjects.html

https://appsecadventures.blogspot.com/2025/11/800-posts-predictions-based-on-rare.html

Here are my takes:

Obviously, posts are biased based on my interests. So there are a lot of vulnerability management, supply chain security and LLMs and very little about API Security, OWASP Top 10 and scanning tools.

This does not mean I am not noticing what's happening. Although LLMs and CoPilots are getting better everyday, the dynamics of programming using LLMs, in the long run, may graduate less skilled developers because the intermediate developers (the newbies nowadays) will rely more on tools to write code. So maybe, we will face an educational problem very soon. People will remain being the weakest link of the chain of security.

Attacks are becoming more and more complex and difficult to tackle. At the same time, the AI pressure for adoption of innovations that haven't proved their value completely yet indicates that the industry is accepting solutions that are suboptimal using AI as long as they are cheaper and as long as they can scale. So I think we are going to loose some ground to hackers for a while.

The industry is giving less value to norms and standards and more value to automation and tools that can provide tangible benefits, for example, posture management instead of mapping ASVS to CWEs or NIST controls. Of course, compliance will still be there, but companies will prefer tools for perform assessments on their CMDBs (every cloud comes with some sort of CMDB) or anything-as-a-code like threat modeling, policies, IaC scanners and so on.

ChatGPT missed Quantum-Safe completely. This is an area that is growing fast and most companies are still underestimating the need of crypto inventory. It's a hard task, upgrading crypto is complex and expensive, and the computing power needed to break current algorithms is going to be created soon, from quantum computing or not. 

The war to get the control of the unified security for development platform (which started at the ASOC era and gained some momentum in the ASPM era) was less clear to me some years ago. It was not clear for me which approach would win: [1] the platform (github, gitlab), [2] the ASPM (from scanners like SAST, SCA and DAST providers) or [3] the CSPM (from Palo Alto for example). My feeling is that [1] will win the war, because they are closer to their "client" (the code repo and the CI/CD pipeline). In fact, [2] will experience a very hard time in the next years IMO.

I am also worried about the role of appsec in the next years. We need people from the trenches to join security. LLMs will still create code with problems, many OWASP Top 10 items are not covered by tools. Maybe threat modeling will gain more importance in the next years, helped by tools, but it will still need some sort of skilled professional that is very hard to find and to train.

Maybe we should invest in developing a new kind of security architect—someone who has deep knowledge across infrastructure, programming, and security, spanning areas like compliance, vulnerability management, risk, and posture. It might even be worth creating a dedicated postgraduate program for this, because it would take years for someone to build the level of expertise and experience the role demands. I’m not sure what the right answer is, but I’m fairly certain an LLM won’t be able to fill that role.

Comments

Post a Comment

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

In the blog post “Prompt Engineering Requires Evaluation” on the Shostack + Associates website, the author argues that treating prompts for large language models (LLMs) merely as creative artefacts is insufficient. Engineering prompts properly demands structured evaluation frameworks — what the AI community calls “evals” — to test which prompt versions work better, with which models, and under which conditions. The post highlights that simply assuming a prompt is “good enough” creates risks when LLMs are integrated into production systems (e.g., for threat modeling). It advocates for measuring prompt performance, variation effects, and tool-chain dependencies (model, context, ancillary materials).  Ultimately the message is: prompt engineering should borrow disciplined practices from software engineering (versioning, testing, benchmarking) rather than relying on informal experimentation.  https://shostack.org/blog/prompt-enignieering-requires-evaluation/
Read more

Secure Vibe Coding Guide: Best Practices for Writing Secure Code

Ken Huang's "Secure Vibe Coding Guide" emphasizes the importance of integrating security into the software development lifecycle. The guide provides best practices for writing secure code, including input validation, proper authentication mechanisms, and secure data storage techniques. It also highlights the necessity of regular code reviews and staying updated with the latest security vulnerabilities and patches. By following these guidelines, developers can create applications that are resilient against common security threats and contribute to a safer digital environment.  https://kenhuangus.substack.com/p/secure-vibe-coding-guide
Read more

KEVIntel: Real-Time Intelligence on Exploited Vulnerabilities

KEVIntel is a dynamic platform providing up-to-date information on known exploited vulnerabilities (KEVs). It aggregates data from over 50 public sources, including CISA, and enriches each entry with metadata such as EPSS scores, online mentions, scanner inclusion, and exploitation status. The platform aims to serve as an early warning system, offering insights even before official publications. KEVIntel supports various formats like JSON, CSV, and RSS, facilitating integration into security operations. These entries include CVSS scores, exploit status, and links to proof-of-concept code, aiding organizations in prioritizing remediation efforts.   https://kevintel.com/
Read more