As we move further into 2025, we will continue to see the cybersecurity industry and specifically the software supply chain space address new challenges. With increasing cyberthreats, vulnerabilities, and the growing complexity of software ecosystems, organizations need to prioritize protecting their assets and ensure compliance with emerging regulations. According to Qualys, 0.91 percent of vulnerabilities have been weaponized, which represents a 10 percent increase in the weaponization of CVEs discovered prior to 2024.
With modern day software relying on open-source contributions, and developers relying 2 to 9 times on open-source, it introduces geopolitical risks that organizations must urgently consider, especially with rising nation-state attacks. Lineaje AI Lab’s recent report, “Crossing Boundaries: Breaking Trust?” dives into the critical vulnerabilities hidden deep into the global complexity of an open-source software supply chain.
In this blog, we bring together insights from leading experts in the field to provide a comprehensive outlook on the key trends and challenges that will shape the cybersecurity and software supply chain landscape in 2025. Our contributors include Cassie Crossley from Schneider Electric, Karan Sondhi from Trellix, Sakthi Rangaraju from Pure Storage, Steve Wilson from Exabeam, myself, Nick Mistry, CISO from Lineaje.
We asked each expert a series of questions regarding pressing issues surrounding the software supply chain landscape. Each expert offers a unique perspective on the adoption of Software Bill of Materials (SBOMs), regulatory changes, the role of open-source software, industry-specific challenges, and the transformative impact of artificial intelligence (AI) on security.
Nick Mistry, Lineaje: "Adoption of the SBOMs will expand significantly, particularly in the government and defense industries. Government agencies will continue to enforce the use of SBOMs through regulatory measures, including the U.S. Army and other military branches. These regulations will put pressure on the private sector, requiring software providers to submit SBOMs as part of the acquisition process.
These new processes will pose several challenges. For instance, consider the task of analyzing SBOMs for all of the military's software. It poses a considerable challenge to review and manage these documents, especially in the event of a new zero-day vulnerability. Identifying impacted software and determining deployment locations is a complex task, making operational management difficult."
Karan Sondhi, Trellix: "As a security software provider, Trellix anticipates rapid SBOM adoption in the U.S. public sector throughout 2025, driven by Executive Order 14028, "Improving the Nation's Cybersecurity," issued in May 2021. While this will enhance supply chain visibility and incident response, government and defense organizations will face challenges in implementing SBOMs effectively, particularly with legacy systems, classified information management, and supply chain complexity. Despite these hurdles, we believe the long-term security benefits will outweigh the initial implementation difficulties."
Steve Wilson, Exabeam: "In 2025, the adoption of SBOMs will expand beyond traditional software, with AI and ML applications driving demand for more advanced BOM frameworks. Concepts like ML-BOMs (as defined by CycloneDX) will need rapid evolution to address the intricacies of modern LLM applications. These models rely on dynamic and often opaque supply chains, where each ML component, data set, and algorithm may introduce unique vulnerabilities. For government and defense organizations, effectively managing this complexity will require an expanded ML-BOM standard that can account for continuous updates, complex dependencies, and provenance tracking across AI and ML systems. Achieving interoperability across ecosystems will remain critical, but automation, coupled with emerging regulatory standards, will play a pivotal role in maintaining compliance and security across increasingly complex AI supply chains."
Nick Mistry, Lineaje: "Regulatory changes are set to reshape software supply chain security. The Federal Acquisition Rules (FAR) may soon require SBOMs for software used by federal agencies, signaling a push for greater transparency and accountability. Similarly, a proposed Department of Commerce rule for connected vehicles aims to exclude software contributions from China and Russia, reinforcing the need for robust tracking of software origins through SBOMs. As these regulatory shifts accelerate, organizations must act proactively—building detailed software inventories, ensuring compliance readiness, and embedding supply chain security into their core processes to stay competitive and secure."
Cassie Crossley, Schneider Electric: "In 2024 there was significant movement for products sold into US government agencies with the release of the Secure Software Development Attestation form by CISA.
In the final quarter of 2024, the European Union Cyber Resilience Act was fully adopted and entered into force with requirements for the product's software bill of materials to be available no later than 36 months (2027) for many products sold into the EU. This regulation also contains other product security and software security requirements to improve the security posture of products sold into the EU."
Karan Sondhi, Trellix: "In 2025, we anticipate the most significant impact on software supply chain security will come from the full implementation and enforcement of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This regulation, building on Executive Order 14028, will likely expand mandatory reporting requirements and SBOM implementation across a broader range of critical infrastructure sectors. We also expect to see new regulations addressing AI security in the software supply chain, given the rapid adoption of AI technologies in government and defense applications."
Nick Mistry, Lineaje: "Open-source software will play an increasingly critical role in cybersecurity, particularly in vulnerability management and patching. The integration of agentic AI is set to revolutionize this space, enabling autonomous identification, remediation, and validation of vulnerabilities in open-source systems for large organizations. This innovation will streamline processes and significantly enhance overall security postures.
At the same time, securing open-source tools themselves will remain a top priority. With recent advancements, safeguarding AI tools is becoming more urgent. New scanners and technologies are emerging to address this challenge, while platforms are beginning to adopt more agentic capabilities to better manage and mitigate vulnerabilities. These developments promise to make open-source software not only more secure, but also more reliable and trusted for critical cybersecurity applications."
Karan Sondhi, Trellix: "By 2025, we expect open-source software to play an increasingly critical role in cybersecurity, particularly for government and defense organizations. The transparency of open-source will become a double-edged sword: while it allows for faster vulnerability detection and community-driven patching, it will also require more sophisticated vulnerability management processes. We anticipate a rise in automated tools for continuous monitoring and rapid patching of open-source components, along with stricter governance policies to balance security with the agility open-source provides."
Sakthi Rangaraju, Pure Storage: "By 2025, open-source software (OSS) will play an increasingly critical role in cybersecurity, with greater emphasis on proactive vulnerability management and patching. Regulatory pressures will hold organizations more accountable for securing OSS components, while new standards and certifications will formalize security expectations. Automated tools will become essential for real-time vulnerability detection and patching, and sustainable funding for open-source maintainers will improve the security of key projects. Public-private partnerships will drive better collaboration between governments, corporations, and OSS communities, while legal frameworks may introduce liability for unpatched vulnerabilities. As a result, OSS will become more secure, transparent, and integrated into global cybersecurity practices."
Nick Mistry, Lineaje: "The industries likely to face the most significant software supply chain issues will be those heavily reliant on complex and interconnected systems. The medical device industry is a primary candidate, as they continue to grapple with managing software supply chain risks. With the FDA's recent mandate for SBOMs and Vulnerability Exploitability Exchange (VEX), these organizations must navigate the challenges of securing their supply chains effectively.
In addition, the U.S. Army's recent mandate requiring SBOMs for third-party, contractor-developed, and internally developed software underscores a commitment to enhancing software transparency and security. I expect other Department of Defense agencies to mirror these requirements in 2025 and anticipate civilian industries moving towards similar protocols."
Karan Sondhi, Trellix: "In 2025, we anticipate the healthcare and energy sectors will face the most significant software supply chain issues. Healthcare's rapid digitization and IoT adoption, coupled with strict regulatory requirements like HIPAA, make it particularly vulnerable. The energy sector, including utilities and oil/gas, will likely struggle due to its aging infrastructure, increasing connectivity, and critical role in national security. Both industries' complex supply chains and the potential for cascading impacts from breaches make them prime targets for sophisticated cyber attacks, necessitating robust supply chain security measures."
Sakthi Rangaraju, Pure Storage: "In addition to critical software suppliers, industries such as critical infrastructure (energy, water, transportation), healthcare, finance, and defense are likely to face the most significant software supply chain issues due to their reliance on complex, interconnected systems and the use of third-party software, including open-source components. These sectors are particularly vulnerable because they manage sensitive data, critical operations, and essential services, making them prime targets for cyberattacks."
Nick Mistry, Lineaje: "AI serves a dual purpose in security and engineering, making it essential to navigate this balance for successful innovation. On one hand, AI strengthens security by rapidly detecting, addressing, and remediating vulnerabilities with unmatched precision, bolstering defenses against evolving threats. On the other, securing AI itself is critical. Integrating AI into security frameworks demands integrity, transparency, and trust. We are already beginning to see greater adoption and conversations surrounding an AI Bill of Materials (AI BOM), a tool to structure, manage and secure AI models, data, and dependencies. It empowers organizations to mitigate risks, ensure reliability, and deploy AI safely and responsibly."
Sakthi Rangaraju, Pure Storage: "AI will play a transformative role in both security and engineering by enhancing efficiency, innovation, and risk management. In security, AI can automate threat detection, response, and vulnerability management, helping organizations defend against increasingly sophisticated cyberattacks, though it also introduces the risk of AI-powered malicious attacks. However, human oversight remains essential to ensure the ethical and safe application of AI, as issues like bias, transparency, and reliability need to be carefully managed to prevent unintended consequences."
Steve Wilson, Exabeam: "AI is set to drive three powerful, game-changing shifts in the cybersecurity landscape. Attackers are already leveraging AI to operate at unprecedented speeds, identifying and exploiting vulnerabilities within enterprises faster than ever. As organizations embrace AI across their operations, attackers will turn their focus to AI-specific vulnerabilities, a new category of risks that security teams must proactively understand and mitigate. Defenders can and should harness AI to transform their defenses, from cybersecurity operations copilots that provide real-time guidance to automatic remediation within application security tools. The result? A rapid escalation on both sides of the cybersecurity battle, with AI reshaping the pace, tactics, and tools in the fight to secure enterprise systems."
Conclusion:
Over the next year, the IT security industry will be shaped by the rapid adoption of SBOMs, updated regulatory frameworks, and an increasing role of AI in both security and engineering. As organizations grapple with these changes, they will continue to prioritize transparency, proactive vulnerability management, and compliance with new standards to safeguard their software supply chains.
Here at Lineaje, we want to know what your 2025 predictions are?