In April, Anthropic released a language model so powerful that, if it fell into the wrong hands, could become a global threat. Its Claude Mythos Preview was capable of discovering zero-day vulnerabilities, leading the firm to create Project Glasswing, an alliance to harden software before its release. Weeks later, the organization claimed to have analyzed over 1,000 open-source projects — which underpin much of the internet — locating 6,202 high or critical severity vulnerabilities. If the World Economic Forum were to update its 2026 forecasts, the exploitation of software vulnerabilities, which ranked third among CEO and CISO concerns, would likely have climbed in position.

Cybersecurity in development is not a new concept, but its urgency has intensified. Gartner estimates that global cybersecurity spending will reach $240 billion by 2026, of which $121.154 billion corresponds to protection software. However, the focus is no longer just on creating defensive tools, but on integrating security from the very beginning of the development cycle.

Challenges of Integrating Cybersecurity into Development

"For a time, cybersecurity in development was focused at the end of the cycle, considering a final audit sufficient," explain from Tarlogic. "Today that model is not enough." The firm values security by design as a crucial point, and its main challenge is "raising awareness and motivating teams about the value that security brings to their applications."

Manuel Achaques, from Hornetsecurity, agrees: "Development processes can be critical from a cybersecurity perspective. They not only endanger a company's stability, but also that of its customers and suppliers." Prevention in early stages includes keeping systems updated, performing periodic backups, and using immutable solutions, as well as firewalls, advanced threat detection, and end-to-end encryption.

At Tarlogic, they highlight SCA tools, which "pick up the gauntlet to offer services that detect unwanted packages by searching for names and versions in code dependencies." But they warn that library detection is only part of it; the most important thing is the work of collecting names and versions of malicious packages.

Fernando Rubio Román, from Microsoft EMEA and a member of ISMS Forum, provides a perspective marked by AI: "AI has simultaneously changed the three faces of the problem: how code is written, how vulnerabilities are discovered, and how they are exploited. And it has done so at a speed for which many teams are not prepared." This process is accentuated with vibe coding, which "democratizes development but expands the security debt." "The problem is not that AI writes worse than a human, it is that it writes much faster, and human review no longer scales. Security must be incorporated into the pipeline from the earliest stages," he summarizes.

Rubio adds two linked challenges: AI accelerates the discovery of vulnerabilities, as with Claude Mythos, reducing the window between discovery, exploitation, and remediation. Additionally, legacy code is a huge challenge: "AI is a valuable ally, but the accumulated debt is enormous." He also points out a human challenge: "We need developers who understand security and security professionals who understand AI. Until that convergence is consolidated, the offensive will be ahead."

Where the Sector is Heading

Rubio distinguishes several trends driven by AI. First, the consolidation of the cloud model and shared responsibility as the basis for new software. Second, the convergence of tools into CNAPP platforms, reflecting a shift in focus: "With generative AI, launching the first version of a product is trivial; the hard part is quality, security, and maintenance." Investment is shifting to testing, observability, vulnerability management, and operational resilience. Third, the distribution of security throughout the entire lifecycle, along with the adoption of Zero Trust architectures in the development environment.

The security-by-design approach, according to Achaques, "is increasingly gaining strength to foster a culture of resilience." However, from Tarlogic they recall that "security by design has had to adapt to paradigm shifts. Where previously a requirement was applied to software to prevent leaks, now requirements are established for suppliers to comply with secure design or accept third-party audits." This also applies to AI in software, "putting guardrails so that sensitive data is not leaked or it does not access misconfigured servers."

All these changes are grouped under DevSecOps, which integrates security into every phase of the software lifecycle collaboratively. "A necessary evolution," confirms Achaques, highlighting its relevance "in a scenario where much of the software uses open-source components, cloud services, and third-party tools. The supply chain is increasingly complex." "More than a technological trend, DevSecOps represents a cultural change," he reasons, as security ceases to be exclusive to a team and becomes part of the entire process. "The goal is to develop faster, but also more securely, reducing risks without slowing innovation." Rubio adds: "In an AI context, its scope expands: it no longer protects only code, but also models, data, prompts, permissions, and agents."

The spokespersons also highlight the influence of regulation: European regulations such as NIS2, DORA, the Cyber Resilience Act, GDPR, and the AI Act. "It has ceased to be a distant framework to directly condition how technology is designed, developed, and operated," says Rubio. "The regulation pushes towards demonstrable cybersecurity: you must be able to provide evidence with auditable artifacts." In development, this implies "investing in automation of evidence, lifecycle governance, and collaboration between security, legal, privacy, and product from the start. Well implemented, regulation can be a lever of trust and competitiveness."

To delve deeper into how AI is transforming code review, we recommend our article "Time to clean up human slop": Why AI now reviews code better than your colleague. You can also explore how virtualization with Proxmox democratizes enterprise infrastructure in this analysis, or learn about the latest Oracle patches in this article.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.