The AppSec Signal - V0.1

September and October continued a troubling pattern of weekly discoveries of backdoored open-source packages. One recent npm malware (“Shai-Hulud”) spread through dozens of popular libraries, even stealing cloud credentials via CI pipelines. In response, ecosystem guardians are tightening defenses – for example, GitHub announced stricter npm publishing rules (mandatory FIDO2 2FA, granular 7-day tokens, etc.) after this year’s supply chain breaches. Recommendation: AppSec teams should likewise enforce multi-factor auth and monitor dependencies to blunt these threats.

Critical vulnerabilities are emerging that leave no time to waste. Cisco, for instance, had to patch 17 new CVEs in its firewall appliances and IOS software in late September – with 3 already being actively exploited in the wild. Two of the Cisco flaws were so severe that CISA gave federal agencies an overnight deadline to remediate. This illustrates how patch cycles are accelerating. Recommendation: Ensuring the ability to rapidly test and deploy fixes (or temporary mitigations) for high-impact bugs is now essential for AppSec programs.

Organizations report that their application footprint is rapidly growing. A recent survey found companies protecting ~145 web apps today expect to be securing ~201 apps within two years ( ~39% growth), and the share of apps using APIs is projected to jump from 32% to 80% in that time . This surge, combined with faster cloud deployments, is straining traditional AppSec approaches. Notably, 92% of companies have a web application firewall (WAF) in place, yet 67% are using multiple WAF solutions to cover different environments – indicating tool sprawl. Recommendation: teams are looking to consolidate and automate. Scaling AppSec will require solutions that provide unified protection across on-prem, cloud, containers, and APIs, reducing the cracks that attackers might slip through.

A new OpenSSF Best Practices guide urges easier dependency updates. It notes open-source components form 70–90% of modern software applications, yet many projects run on outdated dependencies (90% of codebases are 10+ versions behind)  – leaving known vulnerabilities unpatched. To fix this, component maintainers are encouraged to avoid breaking API changes, and users should leverage package managers and automated testing to keep libraries up-to-date.

OWASP’s Software Assurance Maturity Model is an open framework for improving software security practices. It is technology-agnostic and risk-driven, providing a structured way to assess current practices, build a balanced security program, and measure improvements over time. The SAMM project also hosts monthly calls open to the community, inviting anyone to learn and contribute.

The OWASP Top Ten (the famous list of critical web app security risks) is getting an update. The 2025 edition is expected to be announced at the Global AppSec conference in Washington, D.C., during the first week of November 2025, where Amir Kavousian and Petra Vukmirović from DevArmor will be presenting on the topic of threat modeling.

The U.S. Cybersecurity and Infrastructure Security Agency added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on October 14 (including CVE‑2016‑7836 and CVE‑2025‑6264). These actively exploited flaws are frequent attack vectors and pose significant risks to federal systems. (A week earlier, CISA had also added CVE‑2021‑43798 – a Grafana path traversal bug – after observing it being used in attacks)

Microsoft’s October 2025 Patch Tuesday fixed 172 security vulnerabilities, including at least two zero-day flaws that attackers were already exploiting. Notable patches include a critical Windows Server Update Services (WSUS) bug that allows unauthenticated remote code execution (a potential complete server takeover) , and an Office preview pane vulnerability that could run malware when an email is merely previewed (no file opened)