This year's "2025 State of Application Security Report" from cybersecurity firm Cypress Data Defense sounds the alarm on a deepening and worsening crisis in software security. The report, based on an analysis of 2024 data, highlights that organizations are facing an unprecedented assault on multiple fronts, from the software supply chain to APIs and the rapid adoption of artificial intelligence (AI).
One of the most alarming findings in the report is the dramatic surge in software supply chain attacks. These attacks increased by 25% from October 2024 to May 2025. Since 2020, a staggering 1300% increase in supply chain attacks has been reported. These attacks target vulnerabilities in third-party dependencies and open-source platforms, allowing attackers to bypass an organization's defenses by targeting its less secure suppliers. More than 75 percent of software supply chains have experienced cyberattacks in the last 12 months. The Cypress Data Defense report underscores that 62% of organizations admit to knowingly pushing vulnerable code to production to meet deadlines , a practice that significantly exacerbates the problem.
APIs, the connective tissue of the modern digital economy, have become a prime battleground. The report reveals that 57% of organizations experienced an API-related data breach in the past two years. Despite the risk, companies are, on average, testing only 38% of their APIs for vulnerabilities. This security gap is particularly concerning as 27% of API attacks now target business logic vulnerabilities , which are difficult for automated scanners to detect. Furthermore, 33% of API vulnerabilities discovered in the past quarter were associated with authentication and access control issues.
The report also addresses the "AI Paradox." While AI offers powerful tools for defense, it is being leveraged just as effectively by attackers. 60% of cybercriminal groups now use generative AI for attacks. Simultaneously, 69% of organizations use AI-based security solutions for threat detection and prevention. The adoption of generative AI introduces new risks, with 60% of companies concerned about expanded attack surfaces and potential data exfiltration.
To combat this escalating crisis, the Cypress Data Defense report strongly advocates for adopting a DevSecOps culture, where security is integrated into every stage of the software development lifecycle. However, adoption remains a challenge. 60% of organizations report technical challenges as the primary hurdle to DevSecOps adoption , and developers struggle to use security testing tools (64%). Nevertheless, the benefits are clear: organizations with mature DevSecOps practices resolve flaws 11.5 times faster. The report recommends automation, proactive monitoring, and adopting a risk-based approach to vulnerability management.
In conclusion, the 2025 Cypress Data Defense report is not merely a collection of statistics but an urgent call to action. The software security crisis is real and accelerating. Without a fundamental shift towards proactive, integrated security, organizations will remain dangerously exposed to a threat landscape that is evolving faster than ever before.