It’s almost the New Year, and naturally, many people are looking to make their resolutions to improve their processes as we advance.
For DevSecOps teams, which focus on the software development lifecycle, they will want to take greater steps to significantly improve the security of their pipelines in the wake of the growing number of supply chain attacks.
In June, dark web monitoring company Cyble reported that 79 cyberattacks with “supply chain implications” took place in the first five months of 2025. Of those, at least half targeted IT, technology providers, and Telco providers. Looking back further to the period between September 2024 and February 2025, while there were slightly fewer than 13 attacks each month, just a short time later, in the period between October 2024 and May 2025, the figures grew to 16 per month.
Then you have AI, which is being implemented by cyber criminals to expand operations and better prey on their victims. A recent article in The Hacker News stated that “AI-enabled supply chain attacks are exploding in scale and sophistication – Malicious package uploads to open-source repositories jumped 156% in the past year.”
With these facts in mind, it’s reasonable to assume that the people protecting the supply chain will have to do better next year, or cyber criminals will continue to see rising success.
Reducing Supply Chain Attacks
There are many steps DevSecOps teams could take to reduce the chances of a security incident that may lead to a supply chain attack. This includes utilizing tools for dependency scanning, continuous monitoring, threat detection, and automated security testing.
In addition, DevSecOps must also consider the critical role that Public Key Infrastructure (PKI) plays.
PKI is critical for DevSecOps because it establishes trust and ensures the integrity of the software code throughout the development and deployment pipeline. PKI-based digital certificates – Code Signing Certificates in the case of DevSecOps – enable digital signing of source code; building artifacts and container images, guaranteeing authenticity and preventing tampering. It also secures communication between systems and services through encryption and certificate-based authentication, which reduces the risk of unauthorized access. In addition, by verifying signatures and enforcing trusted identities, PKI helps prevent supply chain attacks and supports compliance with security standards.
DevSecOps Haven’t Always Relied on PKI
The reality is that the DevSecOps process has not always utilized PKI-backed certificates. Instead, they have historically opted for self-signing certificates as they were viewed as still being reliable, while also being more economical and able to be created very quickly.
With the increase in volume and complexity of cyberattacks targeting the software supply chain, there is a high degree of likelihood that organizations will have no choice but to expand their utilization of Trusted Digital Certificates. In fact, Mordor Intelligence predicts that the Code Signing Certificate market could reach $50.3M by 2029.
With that in mind, here are GlobalSign’s top new year resolutions we suggest for DevSecOps teams.
1. I Will End My Reliance on Self-Signed or Unapproved Certificates
Under pressure to meet deadlines, teams sometimes bypass PKI by creating self-signed certificates or using certificates that are not trusted. This creates compliance issues and exposes systems to man-in-the-middle attacks. The negative results of this approach speak for themselves.
2. I Will Stop Using Manual Processes for Certificate Lifecycle Management
Many teams still rely on manual steps to request, issue, and deploy certificates. This slows down CI/CD pipelines and introduces human error. This can result in increased risk of expired certificates, or even outages that make websites unusable, and product use comes to a standstill. Automating your certificates is the best way forward to successfully manage them.
3. I Will Pay Closer Attention to Certificate Industry Rules & Regulations
On March 1, 2026, per the CA/B Forum – the PKI industry’s main governing organization – Code Signing Certificate validity will be limited to a maximum of 460 days. These changes will impact security strategies, compliance, and operational workflows across industries. If you are using Code Signing Certificates but not taking steps to ensure they meet these new standards, your company could experience numerous issues – and be non-compliant. Why take that risk?
Hopefully, the coming year will bring a reduction in supply chain attacks. This is a goal that’s more than achievable if the proper tools and practices are put in place and maintained by the DevSecOps community to keep code secure. Keeping watch on industry rules and regulations, ending reliance on outdated practices, and automating your tools will be especially important. You can choose from a variety of vendors to get your PKI in place to properly protect your code, to ensure your code security is rock solid, and can keep cyber criminals at bay.
