At EveryOps Day 2025 held in Sydney, emphasis was on the criticality of a single software supply chain platform for effective integration of DevOps, DevSecOps, AIOps and MLOps…
Some critical DevSecOps questions need clear answers – and in real time – such as:
Which teams in your organization are using a deprecated component? Which team is responsible for introducing a vulnerability? What compliance policies are required to put a particular app into production? How do you prove that a container was approved for external distribution?
In his opening keynote at EveryOps Day 2025, Shlomi Ben Haim, CEO & Co-Founder, JFrog, emphasized that failure to effectively address issues such as these can lead to another Crowdstrike-like digital disaster.
The biggest challenge in DevSecOps today is consolidation, according to Tal Zarfati, Lead Architect, JFrog Security, in an exclusive interview with CybersecAsia at the event. With multiple tools in place, security and development teams need a single pane of glass for a single source of truth throughout the entire software development lifecycle.
Another challenge is that, with so much new software introduced in an organization, the chances of introducing security issues (malicious content, vulnerabilities, bugs etc.) are much higher. While open-source package repositories like the Python Package Index (PyPI) play a crucial role in software development, such platforms are also potential targets for malicious actors attempting to exploit application software vulnerabilities.
A case in point: Recently, the JFrog security team discovered and reported a malicious package that was uploaded to PyPI. The package collects information such as Jamf configuration, specific CI/CD environment variables, AWS account IDs, and more.
State of software supply chain
JFrog’s recent “Software Supply Chain State of the Union 2025” report analyzed the evolving software supply chain, highlighting increasing threats and challenges. Key findings include:
- Growing complexity and risk: Organizations are using more programming languages (64% use 7+, 44% use 10+), and public repositories like Docker Hub and Hugging Face are experiencing massive growth, leading to a more complicated and risky supply chain. Over 33,000 new CVEs were reported in 2024 (up 27% year-on-year), and exposed secrets in public registries increased by 64%.
- Security gaps: A concerning 71% of organizations allow developers to download packages directly from the internet, a major security risk. While 73% of organizations use 7 or more security solutions, many still have coverage gaps, with less than half scanning at both code and binary levels.
- AI/ML as a new frontier of risk: The AI/ML software supply chain is rapidly growing, with over a million new models and datasets added to Hugging Face, but also a 6.5x increase in malicious models. Many organizations lack robust governance and scanning mechanisms for ML model artifacts.
- Limited security scanning leaving blind spots: Only 43% of IT professionals say their organization applies security scans at both the code and binary levels, leaving many organizations vulnerable to security threats only detectable at the binary level. This is down from 56% last year – a sign that teams still have huge blind spots when it comes to identifying and preventing software risk as early as possible.
- Impact on developers: Security efforts are costing organizations significantly (an average of $28k per developer per year) and negatively impacting developer experience, with developers spending around 3.6 hours per week outside working hours on security issues and frequently switching between tools.
The report emphasized the need for data redundancies, accurate applicability and impact assessments of CVEs, strict safeguarding against exposed secrets, and vigilance against increasingly sophisticated malicious actors. It also advocates for artifact management solutions to proxy public registries, automated security processes, and streamlining security tools to improve developer experience.
Enterprises are poised to pour US$227 billion into AI in 2025 – two-thirds of it on embedded, mission-critical deployments, according to IDC’s FutureScape 2025 forecast. However, Gigamon’s 2025 Hybrid Cloud Security Survey finds 91 % of CISOs are already recalibrating hybrid-cloud defenses after AI-linked system compromise rates jumped 17% year-on-year. Little wonder Gartner expects global cybersecurity budgets to leap 15 % to $212 billion in 2025, much of it ring-fenced for safeguarding new AI workloads.
Ben Haim said: “What needed to be addressed are unmanaged artifacts, slow CI/CD, lack of visibility, security gaps, and siloes. These can be resolved by artifact repository, faster release cycles, one platform for a single source of truth, and deep-scanning security – all too integrated to fail!”
Security should not slow down AI
According to Zarfati, there are several key security concerns slowing down AI adoption:
- 79% of professionals are slowed down by security concerns over AI technologies
- 64% are facing challenges and worried about emerging AI regulations
- 58% are not aware of current policies around AI technologies
- Potential risks in machine learning models, including:
- Malicious models that could compromise systems
- False positive security alerts that create alert fatigue
- Potential code execution vulnerabilities in seemingly safe models
- Rapid technological changes make it difficult to keep up with security standards, with technologies emerging and becoming obsolete within seven months
Zarfati emphasized that, while security is crucial, overly cautious approaches can also hinder innovation and AI adoption: “Organizations need balanced, research-driven security strategies that don’t completely block technological progress.”
To counter security slowing down AI adoption, he believes that developer experience is very important, and that organizations should pay attention to the changing role of developers, with security in mind.
To improve developer experience, he said: “Start with the level of ownership. The challenge is getting developers to familiarize themselves with the ownership part. They need to know what is expected of them.”
Traceability is the first keyword. Balancing a ‘blameless’ developer environment and responsible coding requires traceability. The second keyword is intent. Mistakes are inevitable, but the intent is more important, so everyone learns from the mistakes to enhance security.
He added: “Security of the software supply chain requires knowledge of trends and potentials, understanding if the hype is real or just a fad. Before innovation, you need the right protection. We need deep security expertise and innovation to keep on the bleeding edge.”