Veracode

The 2026 Verizon DBIR just dropped, and we're proud to be a contributor. The findings for AppSec teams are impossible to ignore. This year's report includes a CWE survival analysis showing how long code flaws actually stay open in real development environments — and the findings should change how every development team thinks about security. With exploitation of vulnerabilities being the new number one way attackers get in, secure code couldn't be more relevant. We broke it all down on the blog. The numbers are stark. → https://lnkd.in/eC8P29GF #DBIR #DBIR2026 #AppSec #ShiftLeft #CyberSecurity

Security teams are managing an increasingly difficult environment shaped by expanding attack surfaces, faster-moving threats, growing software complexity, and constant pressure to reduce risk without slowing the business down. Events like the CSO Cybersecurity Awards & Conference hosted by Foundry create an important opportunity for practitioners to connect, share experiences, and recognize the work happening across the industry. During the event, Veracode’s Sohail Iqbal spoke with CSO’s Joan Goodchild about how AI-driven development is reshaping software supply chain risk and why security teams need governance models that can operate at the same speed and scale as AI-generated code. Their conversation explored the impact AI-generated code is having on software quality, the realities of “secure by design” at enterprise scale, evolving approaches to the SDLC, and the growing challenge of managing security debt as remediation capacity remains constrained. It was great spending time with customers, partners, and cybersecurity leaders throughout the week, and we want to congratulate all of the individuals and organizations honored for their leadership and contributions to the security community. We’re sharing a few moments from the event and some of the great conversations along the way. Check out the photos below.

The best security teams aren't working harder than everyone else. They're working 10x smarter about what they fix. Instead of chasing 50,000+ findings, they filter every vulnerability through three questions: → Is it exploitable? → Is it exposed? → Does it impact something critical? That shift — from severity-driven triage to risk-based prioritization — is what separates teams eliminating real risk from teams managing noise. And when you pair that with continuous testing in your CI/CD pipeline and an AI-aware security posture, you stop accumulating debt and start proving measurable risk reduction to the business. We put together a practical guide on exactly how to get there 👇 https://lnkd.in/e5xUr5i6 #ApplicationSecurity #DevSecOps #AppSec #CyberSecurity #RiskManagement

The solution? Embedding security directly into the development lifecycle with AI-powered automation that prioritizes what actually matters. Join Veracode’s Sohail Iqbal and CyberEdge’s Steve Piper on May 21 at 11am ET for a data-driven webinar where you’ll learn how leading organizations defend against adaptive threats while maintaining development velocity. Don't let the choice between innovation and security hold you back. Register here → https://lnkd.in/gHnkW-Sb #DevSecOps #AppSec #SecureCoding #CyberSecurity #DeveloperTools

Traditional npm malware waits for developers to download it. The Mini Shai-Hulud worm uses your own developer infrastructure to spread. We are tracking a massive new wave of activity targeting JavaScript development infrastructure. Instead of relying on downstream installs, this worm actively abuses trusted publishing paths and CI/CD identities to push compromised releases. At Veracode, our Threat Research team is actively monitoring this campaign. We are analyzing the malware's behavior—which includes harvesting GitHub tokens and abusing Actions workflows—so we can provide the exact indicators you need to stay safe. If you use automated npm publishing workflows, take these steps right now to secure your environments: ✅ Review your GitHub Actions workflow permissions and restrict them where possible. ✅ Rotate your publishing credentials and tokens immediately. ✅ Monitor your package publication activity for any sudden anomalies. Your automation infrastructure is built to move software quickly, but without proper guardrails, it can move malware just as fast. Read our full breakdown of the Mini Shai-Hulud worm, including a continuously updated list of known affected packages, in our latest blog: https://lnkd.in/erPpN-Dq

We tested 150+ AI models writing code. Only 55% of what they generated was secure. The other 45%? Known vulnerabilities. And that number hasn't really moved in two years — despite every new model release and every round of hype. Here's what changed: the volume. AI coding tools mean developers ship more code, faster. Which means more vulnerable code, faster. Meanwhile only 42% of organizations have fully implemented secure coding practices. 82% of organizations now carry security debt. 60% of it is critical. The gap between building fast and building securely is real — and it's growing. We broke down the data, the risk, and the five things security teams need to do about it now. Link in comments. 👇

Excited to see Veracode’s Chris Wysopal take the stage at NCFTA Disruption 2026 for a timely and important conversation on the future of cybersecurity talent. Chris will be joining Marcus Hutchins, Will McKeen, Fergus Hay, and Bianca Lewis for a panel with The Hacking Games, “The Ethical Fork in the Road Facing Gen Z: How Can We Inspire Gen Z to Become Ethical Hackers in Modern Workplaces.” This discussion will get at a real challenge facing the industry today. A growing number of young people are being pulled toward cybercrime, and the question is how we redirect that talent toward defense. The panelists will discuss how we can better inspire, educate, and equip the next generation to become ethical hackers, along with the role that society, technology, and law enforcement all play in shaping that path. If we want a stronger security future, this is where it starts. Looking forward to the conversation and the perspectives from this group.

The scariest thing about AI in software development isn't what you think. 👀 It's not that AI will replace developers. It's not even that AI will break your security tools. It's that software is now being created faster than trust can keep up. Our CEO Brian Roche just dropped a sharp take on what this AI inflection point actually means for enterprises — and why most of the market is still misreading the signal. The hard truth: AI may make some tasks easier, but it definitely doesn't shrink your attack surface. It multiplies it. More code. More dependencies. More pull requests — with less human review at every stage. Speed of finding vulnerabilities? That's table stakes now (for attackers too). Speed of trust is the real game. Brian breaks down why the next era of software security isn't about scanning faster — it's about becoming the trust authority for AI-generated code. Provenance. Continuous verification. Autonomous remediation. Governance that runs at machine scale. This is the control plane modern development demands. And it's the market Veracode has been building for 20 years. If your board, CISO, or risk committee isn't asking these questions yet — they will be soon. Read the full blog 👇 https://lnkd.in/ecrccf5D #SoftwareSecurity #AppSec #AI #CyberSecurity #Veracode #SDLC #SoftwareTrust

Security budgets are up. Tooling is more advanced than ever. Yet... 81% of organizations were still breached last year, according to the 2026 Cyberthreat Defense Report. It’s a frustrating, exhausting reality for security teams. You are working around the clock, but threat actors are now using AI-powered, evasive malware that adapts in real-time - among other things. Meanwhile, nearly 58% of organizations are still struggling to fully implement secure coding practices. You can't fight AI-speed threats with human-speed remediation. And you can't secure your organization by treating developers as a bottleneck. The answer isn't working harder. It's working smarter. Read our latest blog, "The $10 Million Question: Why Are 80% of Organizations Still Getting Breached?" to discover how leading teams are closing the AppSec gap and fighting AI with AI—without slowing down innovation. Read the full breakdown here: https://lnkd.in/eYQPmkvQ #CyberSecurity #AppSec #ArtificialIntelligence #DevSecOps #Veracode