RunSafe Security’s 2025 Product Security Predictions

Posted on December 10, 2024

Author: Joseph M. Saunders

Product security has come a long way since the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory bodies are approaching the security of the products that run our world with a new degree of awareness and scrutiny.

As we move forward into 2025, this focus is extremely promising for the future. We see change all around us and uncertainty in every arena. However, forward momentum is what we need to build more resilient products that can stand the test of time.

Looking ahead, here are five predictions on how product security will evolve in 2025.

1. 200 More Companies Will Pledge Their Commitment to Secure by Design

As of December 2024, 256 companies have already signed CISA’s Secure by Design pledge, including companies like Cisco, IBM, Google, and Microsoft. RunSafe Security has also signed the pledge, which includes seven goals for software manufacturers to work toward to improve the security of their products.

Secure by Design will certainly shape the future of product security and development for decades to come. We’re already seeing the effects with notable signees detailing their progress toward the pledge goals. Overall, Secure by Design will continue to encourage software manufacturers to focus on areas like software supply chain security and memory safety to reduce the risks to and attack surface of embedded devices. As we at RunSafe emphasize, we want to reshape the economics of security to favor defenders. Secure by Design helps to make this possible by focusing on security from the earliest stages of design and development, and we believe hundreds more companies will take up the challenge in the year ahead.

2. Asset Owners Will Begin to Demand Secure by Design

Product security is on the minds of manufacturers, but what about the buyers of software who deploy these products within their organizations and across critical infrastructure?

As we look ahead to next year, software buyers will begin to get curious about their software supply chain and the steps their vendors are taking to reduce risk within their products. As part of this, asset owners should ask suppliers to provide Software Bill of Materials (SBOMs) to gain insight into potential exposures and vulnerabilities within software across asset owner infrastructure.
One example of an area for asset owners to focus on is CISA’s Roadmap to Memory Safety, which urges software manufacturers to publish a memory safety roadmap by January 1, 2026. Asset owners can use the memory safety roadmap as a starting point to talk with suppliers and discuss how they will approach eliminating this class of vulnerabilities.

3. Product Liability Will Come Into Focus

While Secure by Design and other CISA guidance is voluntary, as more organizations adopt these principles, there is a strong possibility that approaches to product liability and cyber insurance within the software industry will begin to shift. Though it would be surprising to see a new executive order on critical infrastructure and product liability issued in 2025, we are seeing an immediate response to the EU Cyber Resilience Act. Perhaps the market will seek to increase cybersecurity warranties, guarantees, and insurance.

As software manufacturers take on more of the security burden, the way liability is distributed between suppliers and their customers in the event of a security incident will change. Device manufacturers will need to consider what the liability shift means for their business and adopt a new financial perspective to address downside liability.

4. Software Manufacturers Will Prioritize Immediate Solutions for Memory Safety

A key aspect of Secure by Design guidance issued by CISA is memory safety, and it plays a critical role in the overall security of embedded devices. Yet for many, memory safety is not as achievable by simply rewriting products..

Going into 2025, we expect an alternative to memory safe languages to enter more prominently into the product security discussion. Although Secure by Design guides device manufacturers to rewrite all of their C and C++ software into a memory safe language like Rust, doing so would take decades and require a significant expenditure of resources and human power to accomplish. For companies who produce dozens or hundreds or even thousands of embedded software products deployed across critical infrastructure (often with 10-30 year lifespans), it is neither feasible nor practical for them to simply rewrite all their products in memory safe languages. Not doing so, however, leaves the door open for attack in the near term.

For this reason, it’s important that software manufacturers insert memory protections, such as load-time function randomization, intoexisting devices today rather than wait the time it would take to rewrite code. Commercial solutions, like RunSafe’s Protect solution, already exist to provide immediate protection and prevent the exploitation of devastating memory safety vulnerabilities.

5. Companies Will Become More Transparent in Sharing SBOMs

High-profile software supply chain attacks like SolarWinds and Log4j spurred the need for organizations to have visibility into their software components. SBOMs emerged as a tool for managing and mitigating software supply chain risks.

For companies that are committed to Secure by Design and product security best practices, we believe there is great value in publicly sharing SBOMs or sharing SBOMs between asset owners and suppliers. Doing so signals honesty and transparency in software development practices and makes it easier to understand where potential vulnerabilities lie.

Advancing the Resilience of Software in the Year Ahead

2025 is shaping up to be a big year for product security and the implementation of Secure by Design. We can be certain that nation-states, adversaries, and APTs will continue to target the software supply chain. I remain optimistic that software manufactures, software buyers, and the cybersecurity industry on the whole can work together to advance the resilience of software deployed in embedded devices to safeguard critical infrastructure and our world.
Learn more about best practices for safeguarding code. Download our guide to get the knowledge and tools you need to address memory safety challenges and protect your code today and into the future.

CISA’s 2026 Memory Safety Deadline: What OT Leaders Need to Know Now

Nov 20, 2024

Recently, nation-state actors, like the Volt Typhoon campaign, have demonstrated the potential real-world impact of memory safety vulnerabilities in the software used to run critical infrastructure. It’s for this reason, among other national security, economic, and...

Don’t Let Volt Typhoon Win: Preventing Attacks During a Future Conflict

Nov 14, 2024

Cybersecurity, or the lack thereof, now has the potential to impact geopolitical events. As widely reported and heard in testimony to Congress, Volt Typhoon — a group of state-sponsored cyber actors backed by the People's Republic of China (PRC) — has penetrated...

Buckle Up: Addressing Embedded Systems Security in the Automotive Software Supply Chain

Oct 15, 2024

Why Embedded Systems Matter for Automotive SecurityHow to Secure Automotive Embedded Systems and the Software Supply Chain1. Prioritize Software Bill of Materials (SBOMs) to Evaluate the Software Supply Chain2. Secure Embedded Systems from the Ground Up3. ...