{"id":106270,"date":"2025-12-30T01:00:00","date_gmt":"2025-12-29T23:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=106270"},"modified":"2026-02-27T20:38:34","modified_gmt":"2026-02-27T18:38:34","slug":"2025-was-quietly-good-for-application-security","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/","title":{"rendered":"2025 Was Quietly Good for Application Security"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<p>So much of Application Security is focused on negative things: new attack methods, new vulnerabilities in tools and libraries, new weaknesses in systems and infrastructure our organizations and developers rely on. But a lot <em>good<\/em> happens too.<\/p>\n\n\n\n<p>2025 had major challenges: from <a href=\"https:\/\/checkmarx.com\/blog\/the-mitre-cve-program-funding-situation-response-from-checkmarx\/\">almost losing CVE<\/a>, to <a href=\"https:\/\/checkmarx.com\/zero-post\/inside-shai-huluds-maw-how-the-npm-worm-exploits-and-propagates\/\">the world\u2019s first NPM worm<\/a>. But it also had some big wins. Not products, not press releases, not empty promises; real, meaningful changes that made it easier for developers and AppSec teams and software developers to do the right thing \u2014 the <em>safe <\/em>thing \u2014 under real-world constraints.<\/p>\n\n\n\n<p>Here\u2019s six of them:<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">1) Publishing Malicious JavaScript Packages Became Meaningfully Harder<\/h2>\n\n\n\n<p>While no one wanted Shai-Hulud, and certainly not <em>two rounds<\/em> of it!, it was the final straw that pushed big players in the JavaScript and TypeScript ecosystem to make positive changes that make it significantly harder for adversaries to turn trusted npm packages into malware vectors.<\/p>\n\n\n\n<p>The public npm registry made changes that directly reduced risk for maintainers and consumers, and GitHub reinforced and accelerated several of their programs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Mandatory 2FA for high-impact publishers<\/strong> dramatically increases the effort required to successfully take over a legitimate developer\u2019s account. GitHub has had mandatory 2FA for a while, and npm finally joined them; no more one-click phishing attacks targeting publishers of critical libraries.<\/li>\n\n\n\n<li>\n<strong>Trusted publishing using short-lived tokens replacing broad \u201cforever credentials\u201d.<\/strong>\u00a0 The npm registry rolled out Trusted Publishing in mid-2025, an approach <a href=\"https:\/\/docs.pypi.org\/trusted-publishers\/\">first adopted by the Python Package Index (PyPI)<\/a> which allows systems like CI\/CD platform to use OIDC authentication to get very short-lived and narrowly-scoped tokens to publish packages. This makes it harder for attackers to harvest npm credentials, since anything they grab becomes useless very quickly. GitHub Actions supported this quickly, but after Shai-Hulud has pushed harder to get organizations to adopt this safer pathway.<\/li>\n\n\n\n<li>\n<strong>Removal of legacy token creation paths that attackers routinely abused, <\/strong>specifically the creation of so-called \u201cclassic\u201d access tokens that allowed access to all repositories under a publisher\u2019s account. In December 2025, npm revoked all remaining classic tokens, meaning safer default behavior: tokens that have specific access and are only valid for 7 days (though they can be given broader scopes and lifetimes of up to 90 days). This reduces the threat posed by a leaked or stolen token by limiting its lifetime and only allowing access to one package.<\/li>\n\n\n\n<li>\n<strong>Faster coordinated takedowns when malicious campaigns were confirmed.<\/strong> GitHub and npm have established paths to work together to respond quickly to malware campaigns, and the defender community as a whole shifted toward working more in the open.<\/li>\n<\/ul>\n\n\n\n<p>Taken together, these changes make life significantly harder for attackers while requiring little from developers and AppSec teams.<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Get Checkmarx Zero in your Inbox<\/div>\n                <button class=\"section-article-button\">Subscribe                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">2) Developer Tooling Got Safer by Default<\/h2>\n\n\n\n<p>With Microsoft\u2019s Visual Studio Code and GitHub\u2019s code-management and Actions CI\/CD system leading the way, 2025 saw quiet improvements to default configurations designed to protect developers from supply-chain attacks and other threats targeted at them. For just a few examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Tighter execution boundaries for plugins and extensions. <\/strong>Platforms like Microsoft\u2019s Visual Studio Code responded to \u201czero-click\u201d classes of attack by requiring more extensions to be explicitly activated (rather than activating automatically after installation), making it harder for developers to accidentally bypass or disable <a href=\"https:\/\/code.visualstudio.com\/docs\/editing\/workspaces\/workspace-trust\">Workspace Trust<\/a> controls, and increasing scrutiny of easy-to-exploit behaviors like background execution without user interaction.<\/li>\n\n\n\n<li>\n<strong>Reduced default permissions for third-party integrations.<\/strong> We saw an increased emphasis on safe defaults and least-privilege for plugins and other third-party integrations, such as GitHub\u2019s tightening of default token permissions used in Actions. Their decision to reduce the default scope and lifetime of per-job tokens significantly raised the level of effort required for common attacks with a minimum of disruption to DevOps and developer teams.<\/li>\n\n\n\n<li>\n<strong>Better isolation of build and test contexts from developer credentials.<\/strong> With several providers working closely together to ensure that OIDC and other short-lived, tightly scoped credentials are the default and recommended pathway for cross-service integration, it became the straightforward default to separate build and test access from developer access to systems. This allows developers to maintain velocity by ensuring that build and test operations reliably function, while protecting organizations when developer accounts or workstations are compromised.<\/li>\n<\/ul>\n\n\n\n<p>Safer defaults and secure paved paths make the secure way the easy way, and allow organizations to be more secure and resilient without risking developer productivity. Not annoying developers is a great outcome for any appsec improvement!<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">3) GitHub Made Malicious Pull Requests Easier to Defend Against<\/h2>\n\n\n\n<p>Since the introduction of pull_request_target events in GitHub Actions, GitHub has been warning developers and DevOps teams that <a href=\"https:\/\/securitylab.github.com\/resources\/github-actions-preventing-pwn-requests\/\">their convenience comes with some risk<\/a>. For example, it\u2019s easy to configure this class of event in a way that leads to \u201cpwn requests\u201d: malicious pull requests that end up accessing important secrets and passing them off to attackers.<\/p>\n\n\n\n<p>But GitHub didn\u2019t just throw up their hands and say \u201cthis is on you to use safely\u201d: <a href=\"https:\/\/github.blog\/changelog\/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes\/\">they added new constraint<\/a>s in December 2025 to limit external PRs\u2019 access to potentially insecure workflow files and completely close off attacks that relied on providing untrusted branch names.<\/p>\n\n\n\n<p>This was a great example of an organization balancing developer and contributor needs for automation and velocity against the value of safe defaults and simplified ability to audit configurations and defend the open-source ecosystem.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">4) \u201cSupply Chain Risk\u201d Became a Shared Language<\/h2>\n\n\n\n<p>Not all improvements are technical achievements; application security is a socio-technical system, after all, and changes that help people communicate across boundaries between development, security, operations, and leadership are an important part of the equation.<\/p>\n\n\n\n<p>So it might seem weird to be excited that a new term rose to prominence, but it really did make a difference. Because through work from researchers, <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Software_Supply_Chain_Security_Cheat_Sheet.html\">industry groups like OWASP<\/a>, and AppSec leaders across organizations, we finally found a way to help developers and operations teams understand the need for fundamental change in the software supply chain.<\/p>\n\n\n\n<p>It represents a shift in software delivery culture that understands the value of protecting the supply chain. Not as just \u201coh, look another security alert to put on the pile\u201d, but rather helping to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shift patching and related activities to being seen as architectural and process essentials, not failures to blame on someone<\/li>\n\n\n\n<li>Justify SDLC improvements meant to prevent issues and decrease remediation effort, like <a href=\"https:\/\/checkmarx.com\/malicious-packages-identification-api\/\">proactive defense against malicious open-source packages<\/a>\n<\/li>\n\n\n\n<li>Improve alignment on supply chain controls and defenses among developers, operations, security, and other aspects of software delivery<\/li>\n<\/ul>\n\n\n\n<p>It\u2019s a small step, but a significant one that marks significant progress toward a safer software supply chain and less pressure on developers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">5) Security Researchers Collaborated More<\/h2>\n\n\n\n<p>Another example of a \u201csoft\u201d improvement I\u2019m excited about is a shift in the research community, especially around the response to critical vulnerabilities and impactful malware campaigns.<\/p>\n\n\n\n<p>In 2025, we saw:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Less competition for headlines, instead favoring coordinated disclosure and an emphasis on keeping the community safe.<\/li>\n\n\n\n<li>Collaboration across impacted orgs during events like Shai-Hulud, with researchers encouraging and enabling information-sharing and response rather than trying to control the conversation<\/li>\n\n\n\n<li>More credit-sharing and boosting of signal, with researchers helping to highlight others\u2019 work even as they expand upon it<\/li>\n<\/ul>\n\n\n\n<p>For defenders, this meant less time spent trying to figure out what\u2019s happening and what to do, and far fewer \u201cpanic-driven\u201d incident response behaviors. For researchers, it reinforced trust among the community and between researchers, platform operators, and defenders: trust that\u2019s critical to rapid mitigation and remediation of issues outside traditional processes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">6) The Security Community Reduced Its Reliance on a Single Government<\/h2>\n\n\n\n<p>April 2025 brought <a href=\"https:\/\/checkmarx.com\/blog\/the-mitre-cve-program-funding-situation-response-from-checkmarx\/\">a close call for MITRE\u2019s CVE program<\/a>, where a lack of clarity about whether US Federal funding for the CVE and related programs caused a bit of a panic about the programs\u2019 future. But the community\u2019s response demonstrates the resilience among security leaders and practitioners:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Founding of the <a href=\"https:\/\/www.thecvefoundation.org\/\">CVE Foundation<\/a>, a group committed to diversifying funding sources and establishing clearer and more-independent governance for the CVE program<\/li>\n\n\n\n<li>Increased attention and commitment to <a href=\"https:\/\/euvd.enisa.europa.eu\/\">the EUVD<\/a>, an alternative to the US NVD that serves (among other things) as a \u201cbackup plan\u201d for organizations that rely heavily on the CVE system<\/li>\n\n\n\n<li>Greater support for <a href=\"https:\/\/osv.dev\/\">OSV<\/a>, a vulnerability reporting system focused on the open-source ecosystem, anda. Collaboration between Google and the OpenSSF provides independence from MITRE\u2019s CVE program.<\/li>\n<\/ul>\n\n\n\n<p>The response was a great reminder that the application security community isn\u2019t reliant on just one dominant source, but has the tools and foresight to make sure the world stays safe even under challenging circumstances.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\">Why This Matters<\/h2>\n\n\n\n<p>A lot of our work at <a href=\"https:\/\/checkmarx.com\/zero\/\">Checkmarx Zero<\/a> focuses on the bad things that are happening. It\u2019s important to let people know when there are new attacks, new risks to worry about, malware campaigns targeting developers, and so on. But it\u2019s just as important to remember that it\u2019s <em>not<\/em> a losing battle. We and our colleagues across the application security community and in the broader security world do a lot of good. Even when it seems like the attackers must surely be winning \u2014 perhaps <em>especially<\/em> when it seems that way \u2014 we must remember that thousands of us show up every day and make the world a safer place.<\/p>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>\n\n\n    <button class=\"subscribe-button\">\n\t\tSubscribe to Updates        <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n    <\/button>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A grounded look at why 2025 was quietly good for developers and AppSec practitioners\u2014real ecosystem changes, safer defaults, and community shifts that reduced risk without slowing teams down. <\/p>\n","protected":false},"author":137,"featured_media":106271,"template":"","zero-category":[1067,1176],"zero-tag":[1471,1089,1069,1438,1337,1472],"class_list":["post-106270","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-tag-1471","zero-tag-application-security","zero-tag-appsec","zero-tag-checkmarx-zero","zero-tag-npm","zero-tag-positive"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>2025 Was Quietly Good for Application Security - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"2025 Was Quietly Good for Application Security - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"A grounded look at why 2025 was quietly good for developers and AppSec practitioners\u2014real ecosystem changes, safer defaults, and community shifts that reduced risk without slowing teams down.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:38:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/\",\"name\":\"2025 Was Quietly Good for Application Security - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp\",\"datePublished\":\"2025-12-29T23:00:00+00:00\",\"dateModified\":\"2026-02-27T18:38:34+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp\",\"width\":2560,\"height\":1280,\"caption\":\"A partially cybernetic unicorn with purple eyes blasts a neon rainbow of positivity over its left shoulder.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"2025 Was Quietly Good for Application Security - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/","og_locale":"en_US","og_type":"article","og_title":"2025 Was Quietly Good for Application Security - Checkmarx","og_description":"A grounded look at why 2025 was quietly good for developers and AppSec practitioners\u2014real ecosystem changes, safer defaults, and community shifts that reduced risk without slowing teams down.","og_url":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:38:34+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/","url":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/","name":"2025 Was Quietly Good for Application Security - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp","datePublished":"2025-12-29T23:00:00+00:00","dateModified":"2026-02-27T18:38:34+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/2025-was-quietly-good-for-application-security\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_2025-quietly-good-unicorn.webp","width":2560,"height":1280,"caption":"A partially cybernetic unicorn with purple eyes blasts a neon rainbow of positivity over its left shoulder."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/106270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/106271"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=106270"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=106270"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=106270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}