Cybersecurity fads and fashions have a habit of coalescing into definable shapes and trends that may help us to underpin enterprise software architectures with a commensurate level of provisioning protection. Among the major factors potentially driving this space in the year ahead – with the looming spectre of AI-generated anything around the corner – is the suggestion that just about everything is fake, so how do we move forward?
The prospects for phishing in the era of AI could be huge. We’ve (arguably) moved well beyond requests for money from fake nation state princes, we’re now in place where all message formats (emails, audio messages or video messages) can faked.
“We are going to have to have multiple trusted channels with those who are close to us. If one channel, email, WhatsApp, Slack, etc. gets an important message, you may need to validate this on another channel. We may even pick up the phone and call each other, like it’s the 90s,” suggested Dr. Dag Flachet, one of the co-founders of Codific, a Barcelona-based software company that focuses on building secure privacy-focused cloud applications for areas such as HR-tech, Ed-Tech and Med-Tech.
Flachet is a specialist in organisational psychology and is an active contributor to several OWASP projects, as well as regulatory guidance around the Cyber Resilience Act.
Passwords to passkeys
The months ahead may also see the end of passwords as they become outdated in favour of passkeys that use biometric authentication combined with cryptographic keys linked to a device.
Looking at the rise of unsanctioned shadow AI, Flachet stresses the need for data protection. He says that although fighting shadow AI is not going to be easy, firms can educate their employees so that they understand the risk of sharing information or access with AI models or agents.
“Make sure teams have the tools they need on their security-endorsed tool-belt. Run models locally if needed. But don’t forbid and forget, the path of least resistance should be the use of approved tools,” said Flachet.
He thinks that, in terms of standards in this space, ISO27001 or SOC2 used to be enough, but this is no longer the case in 2026 because we now need to be able to demonstrate that our defences are in line with the risk at hand. He sees a boom in the usage of maturity models to track organisational processes around security. That is a good thing, at least now we know where we are at.
SBOMs everywhere
In 2026, software development is clearly more modular than ever i.e. look at reference architectures, look at containers, look at reusable components and (of course) look at Kubernetes. This means that software supply chain failures now ranks as a less damaging (or at least less critical) than cloud or application service misconfiguration errors when we look at the OWASP Top 10 in 2025.
“For better or worse, software ‘development’ is getting more complex, and the scope beyond code is continuing to grow rapidly. This is evident with the rise of software supply chain failures and security misconfigurations. The current models and methodologies are asking developers to be responsible for a lot more than just writing code,” said Brian Glas, department chair of computer science at Union University in Jackson, Tennessee.
As the writing of code is automated and the resolution of issues at low levels of abstractions is automated, the suggestion is that we will spend more of our human intelligence at higher levels of abstraction in software systems. In 2026 we will see more threat modelling and business logic analysis. We will spend more time looking at data flow diagrams and less time staring at syntax.
Common Vulnerability Scoring System
CVSS (Common Vulnerability Scoring System) is an open, standardised framework that assesses and scores the severity of software vulnerabilities, generating a score from 0-10 (critical to none) to help teams prioritise which flaws to fix first, based on factors like exploitability and impact.
According to Nicolas Montauban, solutions engineer at Codific, the CVSS obsession is fading.
“In 2026, companies realise that their application security posture management (ASPM) is lying to them. Yes, it aggregates CVSS scores into some heuristic for risk, but it is flawed and ineffective. It is better to turn the CVSS outcomes into new security requirements for your teams using OWASP ASVS (Application Security Verification Standard). In 2026, we will shift from fighting symptoms to writing proper security requirements up front. That is the first ‘why’ of vulnerabilities. And if we keep asking why, we’ll eventually end up with OWASP SAMM and the fundamental processes in place,” said Montauban.
Gone catfishing
Dag Flachet agrees and says that in 2025, the industry is looking for new ways to measure and improve.
Whatever happens, 2026 will clearly be a year heavily driven by the impact of AI on application codebases and workflows at every level. Where the rise of automation manifests itself in the cybersecurity space is going to be as tough to predict as where the next scam itself emanates from, although the safe money is on those rogue ne’er-do-well types asking for an upfront loan to “help you secure a share in a massive inheritance” or something along those lines.
There are plenty of catfishers out there; make sure you’re not fishy enough to be the bait.
