The AppSec Signal - Jan 2026

OWASP Top 10 2025 Released – The OWASP Top Ten list is getting an update for 2025, introducing two new categories and one consolidation. The new list still ranks Broken Access Control as the #1 risk (now absorbing SSRF issues), and it adds Software Supply Chain Failures (#3) and Mishandling of Exceptional Conditions (#10) as new categories. These changes reflect an evolving application security landscape heading into 2025.

AI-Powered AppSec Agents Emerge – OpenAI and Google DeepMind made headlines by introducing AI “agent” tools to automate application security tasks. Google DeepMind’s CodeMender promises to not only detect code vulnerabilities but also automatically generate and validate patches to fix unsafe code, while OpenAI’s Aardvark (built on GPT-5) acts as an autonomous “security researcher” agent that continuously monitors code repositories, assesses exploitability, and proposes fixes at scale. These agentic AppSec AI tools signal a new wave of autonomous code security in the SDLC.

Bug Bounty Wars: Google and Apple Raise the Bar Google launched a new AI Vulnerability Reward Program with payouts up to $30,000 for bugs in models like Gemini and AI‑powered Workspace features. Meanwhile, Apple revamped its bug bounty program, offering up to $2 million for zero-click remote exploits and up to $5 million for critical iOS vulnerabilities. Both companies are clearly aiming to outbid private exploit buyers and pull top researchers into the public disclosure pipeline.

Takeaway: If you run a security program, take a page from Google and Apple, align incentives before attackers do. Review your vuln disclosure and bounty programs to make sure they actually attract researchers, not frustrate them. A little more transparency (and maybe a bit more budget) can go a long way in keeping talent on your side.

OWASP SAMM & DSOMM Community Day On November 5, the OWASP SAMM project teamed up with the DevSecOps Maturity Model (DSOMM) community for a joint User Day at Global AppSec DC. This day-long event brought practitioners together to share real-world experiences using SAMM and DSOMM, helping organizations advance their software security maturity through frameworks and peer learning. Organizations can leverage insights from SAMM/DSOMM User Days by adopting these maturity models and joining future community calls or events to continuously improve their AppSec programs.

Open Source SecurityCon 2025 The first-ever Open Source SecurityCon, a collaboration between OpenSSF and CNCF, took place on November 10, 2025 in Atlanta alongside KubeCon + CloudNativeCon NA. This community-driven conference brought together developers, security engineers, industry leaders, and open source maintainers to tackle topics ranging from secure software development and supply chain security to identity management and policy best practices, it marks an unprecedented cross-industry effort to unify cloud-native and open-source security communities, highlighting that security is a shared responsibility. All session recordings and materials are available here.

If you build or depend on open source, now’s the time to plug into the OpenSSF and CNCF security efforts. Watch the Open Source SecurityCon sessions, join the working groups, and start contributing—even small efforts move the needle on shared security.

Free AI/ML Secure Development Course OpenSSF launched a free “Secure AI/ML-Driven Software Development” course in late October. This one-hour e-learning offering helps developers and software teams understand the security risks of integrating AI/ML into applications, from exposure to untrusted data when using AI coding assistants to potential model abuse via external prompts. As AI tools become commonplace in development, ensuring they’re used securely is key to a robust secure-by-design culture. Check out the free course from here.

A path traversal flaw in Fortinet’s FortiWeb API allowed unauthenticated attackers to bypass login and create admin accounts. Because FortiWeb is a web application firewall, this exposed the very layer meant to shield backend apps. The vulnerability was actively exploited in October before Fortinet quietly released a patch. Exploits were easy to replicate, and many devices were internet-exposed.

Takeaway: This highlights how security appliances are not immune to AppSec flaws. Unpatched or unmonitored admin interfaces, even on WAFs, can become entry points. Fortinet’s initial silence also reinforces the need to monitor threat intel beyond official vendor channels.

A nation-state actor maintained long-term access to F5’s internal development network, stealing source code and details of unpublished vulnerabilities in BIG-IP products. Though tampering wasn’t detected, CISA issued an emergency directive due to the potential for 0-day exploitation. The breach was discovered in August but kept quiet until October. This is a high-risk supply chain incident. The attacker gained insights into the internal design of a critical infrastructure product used globally. Organizations using BIG-IP now face the risk that attackers may possess vulnerability knowledge before patches are available.

Takeaway: Supply chain risk isn’t just about your dependencies; it’s about your vendors’ codebases too. If you rely on F5 or similar infrastructure products, tighten your monitoring and shorten your patch cycles now. Assume adversaries may know more than you do for a while.