Codific predicts nine key cybersecurity shifts for 2026
Coding security specialist Codific has set out nine trends it expects to shape cybersecurity in 2026, ranging from the decline of passwords and the spread of "shadow AI" at work to a heavier focus on software supply chains and architecture.
The outlook, based on input from leaders involved in several Open Worldwide Application Security Project (OWASP) initiatives, spans individuals, companies and application security professionals. It points to a year in which artificial intelligence, regulatory pressure and changing development practices alter how people and organisations think about digital risk.
The individual user
Codific co-founder and Geneva Business School professor Dr Dag Flachet said phishing attacks will look increasingly authentic as generative AI improves language, tone and personalisation. The company expects fake emails, voice messages and video content that resemble communications from trusted contacts.
"We are going to have to have multiple trusted channels with those who are close to us. If one channel, email, Whatsapp, Slack, etc. gets an important message you may need to validate this on another channel. We may even pick up the phone and call each other, like it's the 90s!" said Flachet, Co-founder, Codific and Board Member and Professor, Geneva Business School.
Codific predicts that passkeys will enter mainstream use as a replacement for passwords. Passkeys combine biometric checks with cryptographic keys that sit on a device. They provide multi-factor authentication in a single step and rotate keys so that attackers cannot reuse them.
"We are often asked to compromise usability for security. But not with passkeys, they are both faster to log in and safer. Expect most of your applications to shift to passkeys in 2026. Bye-bye endless list of different passwords for each system, and bye-bye password managers. You won't be missed," said Flachet.
The company also expects consumers to reduce the amount of personal information that they share publicly online. Codific links this to AI-driven phishing and automated data scraping by bots, and suggests that family content will shift from public social networks to closed groups and private channels.
"In 2026 our friend will know. Not sharing is caring," said Flachet.
Corporate concerns
On the corporate side, Codific highlights the growth of "shadow AI". This covers staff using unapproved AI tools and services and feeding them potentially sensitive information. The company said this increases exposure around strategy, compliance and ethics.
"Fighting Shadow AI is not going to be easy. There are two pillars to your defence. The first one is education, making sure your employees understand the risk of sharing information or access with AI models or agents. The second is access to tools. Make sure your teams have the tools they need on their security endorsed tool-belt. Run models locally if needed. But don't forbid and forget, the path of least resistance should be the use of approved tools," said Flachet.
Codific links the rise in attacks against firms of all sizes with growing regulatory demands, including the EU's Cyber Resilience Act. It expects more organisations to face internal or external scrutiny over whether they have "done enough" on security.
The company forecasts increased use of structured security process inventories that draw on frameworks such as the OWASP Software Assurance Maturity Model (SAMM). It frames this as a shift from viewing certifications like ISO27001 and SOC2 as sufficient on their own.
"ISO27001 or SOC2 used to be enough. But no longer in 2026, we now need to be able to demonstrate that our defenses are in line with the risk at hand. We see a boom in the usage of maturity models to track organizational processes around security. That is a good thing, at least now we know where we are at," said Flachet.
Codific also highlights questions over the security of AI-generated code. It expects organisations to rely more heavily on tools and models that rate the security of such output, with human reviewers combining different sources of information to reach a judgment.
"There is a tradeoff between velocity of building new things and the quality (and security) of these things. This we accept. "Build fast and break things", did not age well. But in 2026, will we even know if it is broken?" said Flachet.
AppSec under pressure
For application security professionals, Codific places software bills of materials (SBOMs) at the centre of activity in 2026. It links this to a more modular development ecosystem and to changes in the OWASP Top 10 list, where Software Supply Chain Failures and Security Misconfiguration rose in prominence in 2025.
Flachet said many companies treat the OWASP Top 10 as a checklist, despite its stated role as an awareness document. He expects closer examination of third-party components and their configuration, and a stronger focus on supply chain risk.
"Unfortunately the OWASP TOP 10 is the finite list of things to care about for many organizations, unfortunately because it is an awareness document that only touches on the tip of the iceberg. Still it is very impactful, so supply chain management is about to have its year in the sunshine. That combined with obligations such as EU CRA, will really mature the wide use of SBOM across the industry," said Flachet.
Union University Computer Science Department Chair and OWASP Top 10 project leader Prof Brian Glas said modern software work extends beyond core coding tasks.
"For better or worse, software "development" is getting more complex, and the scope beyond code is continuing to grow rapidly. This is evident with the rise of Software Supply Chain Failures and Security Misconfiguration. The current models and methodologies are asking developers to be responsible for a lot more than just writing code," said Glas.
Codific expects security specialists to spend less time reviewing low-level code and more time on higher-level design. It links this shift to automation that can handle syntax and basic issues, and it anticipates growth in threat modelling and business logic analysis.
"Shift Left has been internalized, but there is also a shift up. Up in levels of abstractions, the tools we use will take care of the pedantic issues in the code. But for now, we still need to see the bigger picture. What are we doing? What could go wrong? What can we do about it, and is that good enough?" said Flachet.
Codific also predicts a move away from an over-reliance on the Common Vulnerability Scoring System (CVSS) as a proxy for application risk. It argues that firms will place more weight on security requirements and verification standards at design time, including OWASP's Application Security Verification Standard (ASVS) and SAMM.
"In 2025 Dr. Aram Hovsepyan highlighted the flaws in CVE and CVSS. This insight is now integrated in the industry and the industry is looking for new ways to measure and improve. Fortunately OWASP is there to support us with a plethora of free tools and resources, including OWASP ASVS, OWASP SAMM and a free course on metrics by Dr. Aram Hovsepyan," said Flachet.
Codific founder and CEO Dr Aram Hovsepyan has worked on application security for more than 15 years and is a core contributor to OWASP SAMM. His academic work on privacy engineering methods such as LINDDUN now features in international standards, and he expects 2026 to bring further changes in how organisations measure and manage software risk.
