Happy AppSec New Year - 2024 Recap

Application Security in 2024: Lessons Learned and What’s Coming in 2025

‍

2024 was a huge year for Application Security. We saw new technologies, new attacks, and new tools—but also the return of some old issues. As AI gained ground across the industry, it influenced both attackers and defenders. While some vulnerabilities were brand new, others like injection flaws, supply chain attacks, and authorization failures made big comebacks.

In this article, we’ll review the major security trends from 2024 and look ahead to what 2025 might bring.

‍

‍

Development Trends

‍

2024 was still very much the "Year of AI." Key trends included:

• Increased use of Python and Jupyter Notebooks, especially in AI and data science. However, this introduced risks in privacy, supply chain security, and misconfigured infrastructure.
• Up to 25% of new code at some companies was generated by AI tools, introducing concerns about insecure or poorly designed code.
• AI Agents like Copilot, Gemini, and the OpenAI desktop app became more common, often collecting user data and raising privacy concerns.

‍

‍

Notable Incidents

‍

Two major incidents stood out:

• xz-utils backdoor: A sophisticated attacker gained maintainer access to a critical utility over two years, then inserted a backdoor with remote code execution capabilities. It was discovered by chance during a performance review, and showed the fragility of our open-source supply chain.
• CrowdStrike outage: A faulty update to Falcon Sensor caused global outages, including in airports and data centers. It highlighted the risks of low-level bugs and the lack of recovery planning.

Takeaway: supply chains remain vulnerable, and even memory-safe stacks can suffer from unsafe dependencies or misbehaving drivers.

‍

‍

CVE and CWE Insights

‍

• Code Injection jumped 12 spots in the CWE Top 25 due to LLM-generated shell code issues.
• Uncontrolled Resource Consumption and Sensitive Information Disclosure entered the list, largely due to API misuse and AI integrations.
• Classic vulnerabilities like XSS, SQL Injection, and Authorization Bypass remained widespread.
• CVEs increased by 38% in 2024, partially due to the expanded attack surface from AI apps—but the average severity dropped, suggesting better reporting coverage.

‍

‍

Tooling Highlights

‍

New AI-powered tools in 2024 included:

• XBOW: A tool that automates vulnerability discovery and exploitation, already active on platforms like HackerOne.
• DryRun Security: Uses natural language to detect risks in pull requests—an alternative to tools like Semgrep or CodeQL.
• ZAP was acquired by Checkmarx.
• Other notable tools: Gato-X and zizmor (GitHub Actions auditing).

‍

‍

Predictions for 2025

‍

1. AI Overreliance Vulnerabilities

Improper use of AI will lead to:

• Classic injection vulnerabilities (XSS, SQLi, Code Injection)
• Prompt injection and unsafe interpolation of LLM output
  Industry will need stronger guidelines and tools for safe AI use.

‍

2. Open Source Supply Chain Attacks

Expect more nation-state-level supply chain attacks. The difficulty of securing the software supply chain remains high.

‍

3. Cloud and API Security

Cloud adoption will grow due to AI. Companies will need better visibility, hardening, and monitoring across their cloud and API infrastructure.

‍

‍

Conclusion

‍

2024 taught us that while tech evolves, many of the threats stay the same—or adapt to new platforms. As AI becomes more powerful, security must evolve with it.

Organizations need:

• Stronger supply chain protections
• Responsible use of AI tooling
• Regular security assessments and monitoring
• A plan for cloud and API security

Now’s the time to act—and stay one step ahead.