Imperva’s wildest 2025 AppSec predictions

What's in store for Application Security in 2025? Bold predictions from Imperva, a Thales company:

1. A Global 2000 company will lose significant intellectual property due to a prompt injection breach. Generative AI has created a new killer app; the natural language interface to data. With the new interface comes a new threat vector: prompt injection. In 2025, a global 2000 company will lose significant intellectual property due to a prompt injection breach, jailbreak or other prompt error.
2. 2025 will accelerate the plunge into the Hype Cycle’s “trough of disillusionment” faster than expected. AI investment will pass $1T at the peak of the hype. As of Q4, the technology community has already passed $750b of investments in AI. Tech giants are rumored to be building entire new datacenters and powerplants just for AI compute. But initial customer use cases for GenAI will be rather pedestrian employee and customer portals, which, if successful, will generate some savings, but enough to make a return on this massive global investment? With prompt injection security still in its infancy, and a significant prompt-injection related breach (see above), 2025 will accelerate the plunge into the Hype Cycle’s “trough of disillusionment” faster than expected.
3. A GenAI-enabled super hacking tool will redefine “script kiddies.” GenAI is a tool, and tools can be used for both good and evil. Malicious actors are already using GenAI for reconnaissance, phishing campaigns and other “pre-breach” hacking activities. ChatGPT is better at hacking than the Llama-2 models FWIW. GPT-4 can be used to execute attacks autonomously, without prior knowledge nor human feedback. So, now we have GenAI being used for both pre-breach reconnaissance and post-breach privilege escalation and lateral movement. We predict that in 2025, an enterprising group of attackers will combine the two phases into a single super-hacking tool that requires only the name of a corporate target to loose the LLMs of war. Then, when this super-hacking combo GenAI inevitably leaks (or get exfiltrated) defenders around the world will be scrambling.
4. API Security will cross the chasm from early adopter to the early majority. Most enterprises are interested in API security but haven’t adopted it, yet. Or if they have, they are still very early in API security maturity, using solutions mostly just for API discovery and inventory. But, ultimately, collecting API endpoints is only the first step because you’ll have to protect them at some point. 2025 will be the year that the early majority of enterprise organizations in North America will either adopt or will plan to adopt (within 24 months), API security solutions. They’ll join the early adopters in discovery, and some will progress to monitoring. The early adopters will be progress to risk analysis and finally some remediation.
5. A significant OSS Supply Chain Attack succeeds. This year, 2024, almost started off with a tremendous bang. Malicious nation state attackers, through months of disciplined social engineering, hijacked the maintenance of XZ utils, a widely-used opensource software (OSS) compression library. After taking over the development of the library, which is included in many modern Linux distributions, they painstakingly crafted a hidden backdoor within. They released the poisoned code and it began to spread through early beta distributions. One heroic network administrator noticed that the new code caused his SSH sessions to take a half second longer to connect. His personal investigation uncovered the backdoor. He raised the alarm, and the backdoor was removed. If it weren’t for him, that nation state group could have compromised all of the millions of Linux-based systems that power the modern internet. For 2025 is that an OSS attack like XZ Utils will actually succeed, now that all the other state actors saw how close the original attacker came to world domination. There’s nothing stopping a determined nation state from running operations like this on dozens of different OSS projects; they only need one or two to succeed. In fact, maybe they already have and we’re only going to find out about it in 2025.

So there you have it, the five wildest predictions for 2025 from Imperva. Looking at these as a group, you can see that there’s a bit of negative vibe here. But let’s also hope the world embraces API security in 2025.

Imperva is the leader in end-to-end digital security, dedicated to helping organizations protect their data and all paths to it. Customers around the world trust Imperva to protect their applications, data, and websites from cyber-attacks.

Contact Softprom experts for personalized consultation on Imperva solutions.

Softprom - Value Added Distributor of Imperva.