Security has long been treated as something that sits alongside software: a set of tools, reviews, and controls applied after the fact. But that model is starting to feel out of step with how today’s systems are actually built. Applications now span cloud environments, rely heavily on third-party components, and move through automated pipelines at speed. In that context, security can’t remain a
separate checkpoint; it has to be part of how software is designed and delivered from the start.

That shift shows up clearly in this year’s research. Organizations are placing greater emphasis on data-centric security and cloud guardrails, while traditional perimeter approaches are becoming less central. DevSecOps practices are also evolving in a practical direction: Teams are embedding automated controls into CI/CD pipelines while relying on runtime visibility to catch what slips through.
At the same time, supply chain risk is no longer a niche concern, and while SBOM adoption is widespread, turning visibility into enforcement remains a work in progress. And as AI agents move into production, questions around data exposure and identity are becoming harder to ignore.