While we’ve spent a significant amount of time discussing the vulnerability management landscape and its challenges, as well as how to go about addressing vulnerabilities and managing them in large complex environments, we would be remiss if we didn’t take some time to discuss a fundamental shift that’s needed—the shift to secure-by-design/default software and integrating security throughout the system and software development life cycle (SDLC) to stop the bleeding.

With modern organizations drowning in vulnerability backlogs in the hundreds of thousands to millions and consumers increasingly being faced with insecure products and software, no amount of innovation and efficiency in managing vulnerabilities will have the impact that addressing the root of the issue will. This is because most software and digital systems aren’t made with security as a core part of the product development process.

We’ve begun to see an industry-wide shift and calls for secure-by-design software and products, with the message being championed by organizations such as the Cybersecurity and Infrastructure Security Agency (CISA) in the United States as well as key U.S. government technology and security leaders. The concept was even emphasized in the latest U.S. National Cybersecurity Strategy (NCS) (www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf), which called for driving the adoption of secure-by-design principles and shifting the burden ...