Why software defects are now the biggest security threat

Cybersecurity headlines are most often made by attacks, but the fallout of accidental cyber incidents is fast becoming the primary threat to businesses.

Malicious actors plotting your organization's downfall seem a more tangible threat on the surface, but the speed at which software is now being shipped is rapidly exposing businesses to a new level of security risk.

Recent Fastly research found that software bugs were a factor in 40% of cyber incidents in 2025, up from 33% in 2024 and overtaking external attackers (39%).

The cost of coding faster

Early AI adoption has played a role in increasing instances of software issues exposing businesses to risk. Some reports have stated AI is almost doubling engineers’ output but a survey we issued last year showed 30% of senior developers have time savings wiped out by firefighting when AI-generated code fails.

Humans and AI coders alike might be introducing bugs that must be caught in code reviews, and companies might be sacrificing those reviews in the interest of AI automation efficiency.

As well as increasing deployment speed, AI introduces more infrastructure that companies are still getting to grips with. More than ever, they are wrestling with security failures and oversights that stem from how code is written or how their infrastructure is configured rather than external actors.

These issues are more pronounced at larger organizations. Large enterprises with 10,000+ employees averaged 57 incidents in 2025, nearly 40% above the mean of 40. It’s clear that investing in defenses is not the main tactic a modern security strategy can rest on.

Establishing accountability

Strong security postures require processes as much as sophisticated tooling. Reinforcing defenses should obviously remain a priority, but shifting some of the focus towards budget allocation and team structure is an effective way to remain resilient.

Software development has likely changed for good, meaning organizations need to fundamentally rethink their processes and organizational structure.

Only 37% of organizations have shifted security responsibilities towards platform engineering or DevOps at this stage despite the prevalence of incidents related to bugs and misconfigurations.

Centralized security teams that concentrate primarily on the perimeter are too far removed from where risk is created. Bringing security closer to software decision-making is a necessary step for any company looking to scale their outputs to keep up with increasing AI-driven competition.

In practice, this means security should have oversight earlier in the software development process, not just at the point of post-build reviews.

Clear accountability further reduces the risk of response being slowed when incidents inevitably occur.

Over half (51%) of AI-first businesses - those making AI a core part of their operations - are unsure about who handles incident response, but these businesses are the most exposed. Defining ownership, identity governance and escalation paths before deployment sets teams up to bounce back quickly when incidents hit.

Secure by design in the AI era

I have always advocated for a ‘secure by design’ approach to minimize risk. Baking security early into projects an organization embarks on is what makes for a strong security posture. This approach encourages security teams to make systems and coding environments more secure rather than relying on individual employees to get everything right the first time.

AI has changed the complexion of secure by design. Speed-to-market is prioritized over building resilience into systems at 72% of organizations, with accelerated software deployment cycles now amplifying the chance of something going wrong no matter what security tooling they have invested in.

Security architects and executives should have a seat at the table when decisions are being made about how to implement AI. AI systems themselves are becoming vectors through which businesses can be exposed, so should be treated as privileged infrastructure requiring access control and monitoring from day one.

The results of this approach are clear for many already. Eighty-one percent of organizations that made resilience investments last year say they managed to safely accelerate innovation.

Done correctly, security by design shouldn’t be a burden on software teams. It should enable them to work with confidence and keep their business out of the wrong kind of headlines.

Build fast without breaking

There is a significant opportunity for businesses scaling their software development to get ahead of the competition by recognizing software errors as a threat on par with external attackers.

Organizations that bolt on tools and silo their security teams from the rest of the business are more likely to accumulate risks and be left fighting fires. A secure by design approach fit for the modern age will allow businesses to create distance from their peers.

We've featured the best encryption software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit