RSA Conference 2025: Four Days that Re-Energized My Faith That We Are Making Progress

Walking into Moscone South on Monday morning I felt the familiar RSA buzz—thousands of badges, coffee lines that never end, and animated hallway debates about whether AI will save or sink us. This year the conversations were richer than ever. I was thankful that “Secure by Design” is still gaining traction, and many sessions—whether it was about agentic AI, new software liability proposals, or the talent crisis—had the need for secure software a given. Below is my personal highlight reel, stitched together as one story of how community, policy, technology, and a little bit of hacker showmanship converged in San Francisco.

---

“Secure by Design: Are We Winning?” with Jason Healey

Monday morning Jason Healey and I took the RSA Conference stage for “Secure by Design: Are We Winning?”. We opened with a sobering reminder: red teams have been bypassing controls since the 1970s. Yet the National Cybersecurity Strategy now sets an explicit goal—shift the advantage to defenders (D > O). 

We walked the audience through 50 years of offense/defense tug-of-war, then used fresh data to show where we’re finally making dents:

• Known-Exploited Vulnerabilities (KEV) have plateaued at about 125 a year. 2025 Q1 data shows this continuing
• Veracode’s SoSS 2025 dataset – We saw a sharp improvement year over year for apps eliminating all OWASP Top 10 vulnerabilities. The rate was 1% per year improvement for 2010 to 2020 and then 4% per year for the last 5 years.

But we were blunt about what’s not working: time-to-fix is stuck, especially for large enterprises. The solution we proposed—borrowed from lean manufacturing—is to carve out capacity to “fix 10 percent of open flaws every month.” If you can’t, triage ruthlessly by severity and exploitability.

We closed with optimism: winning is possible if we measure what matters and bake security in from day one.

Podcasting with Tejas Davke: “Shift Left Without Slowing Down”

Right after breakfast I ducked into a quiet alcove to record a podcast with Tejas Davke. I peppered Tejas with the eight questions about secure software development we’d drafted together beforehand, from guarding against model-drift to whether auto-remediation is a silver bullet. My favorite moment was when he answered the question about how to give real-time feedback “without undermining developer flow.” He argued that the feedback loop should feel like a spell-checker—instant, contextual, and opinionated, but never blocking the save button. 

That conversation set the tone for the rest of my RSA: AI isn’t just another tool; it’s going to be integral to how we write, test, and trust code.

---

A Book, a Sharpie, and 200 Conversations

On Tuesday Veracode hosted a State of Software Security 2025 book signing in our space on the 2^nd floor of the W Hotel. Handing attendees a physical copy felt retro—in a good way. Many flipped straight to the Leaders and Laggards data and asked how their team compared. Those five-minute coaching sessions reminded me that data is the most persuasive story we can tell.

---

The Hacking Games Panel: Steering Gen Z Toward the Light

Wednesday evening the scene shifted to the W Hotel for “The Hacking Games: The Ethical Fork in the Road Facing Gen Z.” Sharing the stage with BiaSciLab, Caitlin Sarian (Cybersecurity Girl), John Hammond, and Fergus Hay, we debated how to keep tomorrow’s hackers on the right side of the law and move them to a career in cybersecurity. With trillions projected to be lost to cyber-crime by 2027 and 80 percent of NYC teens admitting they’d hacked before 16, the urgency is real. 

My message: give young talent legal playgrounds, clear ethical codes, and paths to purpose. Veracode is partnering with Hacking Games because the best antidote to adversarial AI is a diverse pipeline of defenders who understand both the technology and the stakes.

---

AI Everywhere: The RSA Backdrop

Throughout the conference, AI’s double-edged sword hovered over every session:

• AI as Defender: AI fixing vulnerable code, real-time anomaly detection, autonomous malware triage, and agentic security “co-pilots.”
• AI as Attacker: hyper-personalized phishing, automated exploit generation, and deepfake-enabled social engineering.
• Identity as the New Perimeter: securing both humans and non-human entities (APIs, bots) became table stakes. 

Speakers agreed that proactive, AI-driven defenses must outpace AI-enhanced offenses.

---

Where Veracode Fits

All week I heard CISOs wrestle with three questions:

1. Can we trust AI-generated code?
2. How do we shrink the remediation backlog?
3. How do we prove to regulators we’re “secure by design”?

Veracode sits at the intersection of those needs. Our integrated SAST, DAST, SCA, and AI code-remediation give developers real-time guardrails while feeding leadership the metrics they need for boardrooms and Brussels alike. The SoSS 2025 book we handed out is more than marketing—it’s a public data set designed to move the entire industry forward.

Looking Ahead—An Upbeat Outlook

When the lights dimmed on Thursday afternoon I felt something I haven’t felt at RSA in years: momentum. Yes, the threat curves are still steep, but collaboration is steeper. Founders of the next generation of cybersecurity companies are swapping hard-won lessons. Podcasters are pushing nuanced debates into earbuds worldwide. Researchers are open-sourcing exploitability scores. Policy makers are demanding defensibility, not box-ticking. And people are working on a mission for 16-year-old hackers to see that “ethical” can be cooler—and more lucrative—than “criminal.”

I left San Francisco with a Sharpie-stained hand and a conviction that we are inching the D/O balance toward defenders. The next twelve months will test whether we can maintain that pace, but if RSA 2025 was any indicator, the industry is ready to sprint.

See you in 2026.