2025 in Review: The Year Open Source Software Security Grew Up

As 2025 wraps up, I keep coming back to the same thought: this was the year our industry finally got honest with itself.

I've spent two decades in security, through acquisitions, hypergrowth, and more than a few market cycles. I've watched ideas come and go. But something shifted this year. We stopped talking about what should work and started dealing with what actually does.

The Theory Met Reality

For years, the answer to every OSS security problem was the same: shift left. Push security earlier. Get ahead of the problem. It became gospel, repeated at every conference, baked into every framework.

But 2025 was the year the data caught up. Teams had done everything right. They'd invested in the tools, built the processes, trained their developers. And they were still drowning. Not because they'd failed, but because the model itself had limits we'd been reluctant to name.

Then AI coding tools hit critical mass, and suddenly developers could generate code faster than anyone anticipated. The security review process that was already strained? It broke. The gap between what teams could build and what they could secure grew faster than anyone could close it.

What I found hopeful wasn't the problem. It was how people responded. Instead of doubling down on what wasn't working, I watched teams start asking better questions. Not "how do we scan earlier?" but "how do we actually fix things at the pace modern development demands?"

Getting Out of the Building

This year I had the chance to test some of these ideas in front of people wrestling with the same challenges.

At SecTor in October, I did something a little risky: I put container security assumptions to the test live, on stage. We scanned the base images everyone trusts (Alpine, Debian, Ubuntu, Distroless) and compared what the audience expected to find against what actually showed up. The gaps were eye-opening. Images people assumed were clean had critical CVEs. The conversation that followed was one of the most honest I've had at a conference.

Earlier in the summer, I joined Patrick Gallagher on the Engineering Leadership Podcast. We got into why I think shift left is dead, what "Do-It-as-a-Service" actually means, and how the Jobs-to-Be-Done framework changed how I think about building products. It was a wide-ranging conversation: vision-first leadership, eliminating toil, what it means to think in outcomes instead of features. If you're curious about the philosophy behind what we're building at Root, that episode captures it pretty well.

The Team

I can't write about 2025 without talking about the people I get to work with.

Building a company is hard. Building one that ships daily, stays focused, and actually solves hard problems (not just talks about them) is harder. The Root team did that this year. We argued about the right approach, got things wrong, fixed them, and kept moving. There's no playbook for what we're doing, and I'm grateful to work with people who are comfortable with that.

The technology finally caught up this year. We went from "automation" that still required a human at every step to actual end-to-end remediation. The thing we'd been promising (security that just works, without requiring teams to scale linearly with their codebase) we shipped it. That's not a marketing claim. It's what the team built.

Looking Ahead

2026 feels different. The opportunity is clearer. Open source software security is finally catching up to development velocity, not by slowing developers down or asking security teams to do the impossible, but by building systems smart enough to handle remediation autonomously.

We moved past aspirational frameworks this year. We had honest conversations about what works and what doesn't. That clarity is what I'm most grateful for.

Here's to building on it.

Happy New Year.

— John