Secure by Design "Demands Transparency and Accountability"

share
Header image

Secure by Design "Demands Transparency and Accountability"

share

Cybersecurity leaders should stop thinking like pessimists and start acting like builders.

Attackers are still winning more often than defenders.

Speaking at RSA Conference in San Francisco, Veracode founder Chris Wysopal and Columbia University’s Jason Healey said that winning the Secure by Design battle will require more than just better technology — it demands transparency and accountability.

A year on from the announcement of CISA’s Secure by Design pledge, where 68 of the world’s leading software vendors agreed on seven core goals, Wysopal championed the idea of mandatory software attestation, modelled after manufacturing quality control.

“Software used to be a black box. Now, with attestation forms, customers can finally demand proof of how secure software was built,” he said.

Software Development Timelines

Wysopal also emphasised that security must be built into software development timelines — not treated as an afterthought. “You need to embed security into the ‘definition of done’ in software development,” he said. “Otherwise it always looks like security is slowing you down.”

The speakers said defenders can still win — but only if they measure progress, close feedback loops faster, invest in fixing vulnerabilities proactively, and hold each other accountable.

Inherited Problems

Reported by SC US, Healey left the audience on a positive note: “We can fix the problem we inherited from our grandparents. We're finally seeing the returns on decades of defensive investment.”

Wysopal agreed and encouraged cybersecurity leaders to stop thinking like pessimists and start acting like builders. “We’ve crossed the 50 percent mark. More than half of applications are now free of OWASP Top 10 flaws. That’s a glass half full — and rising,” he said.


Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Agile DevelopmentSoftware Published: 29 April Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Open Source Security Risks: Countering the Threat

Open Source Security Risks: Countering the Threat

 Critical Apache Struts 2 bug could enable data theft, SSRF intrusions

Critical Apache Struts 2 bug could enable data theft, SSRF intrusions

 Why Losing One Security Engineer Can Break Your Defences

Why Losing One Security Engineer Can Break Your Defences
Denmark plans to ban social media for children

Denmark plans to ban social media for children

 Graph Technology: Offering the Edge Over Attackers?

Graph Technology: Offering the Edge Over Attackers?

 Businesses Continue to Lack Visibility in Supply Chains

Businesses Continue to Lack Visibility in Supply Chains
Government Proposes Code of Practice on Secure Software

Government Proposes Code of Practice on Secure Software