Matt Topper

As an industry, we transitioned from no focus on security to expecting an underfunded and under-tooled discipline to handle the topic for an entire organization. From there, we started to shift the responsibility to produce and deploy software securely back onto developers and operators. We did this without providing them the tools or training to perform these jobs effectively. We’ve also neglected creating and deploying the kind of tools that enable an organization to assess if their SDL and overall security programs are effective, instead focusing on tactical tools without considering their effectiveness. At the same time, we’ve continued to rely on blind faith that vendors are doing the right thing and have failed to hold them accountable for repeated mistakes. In essence, we have regressed back to where we started, with voices in the corner screaming about how we need to be making informed decisions to mitigate threats proactively instead of chasing the latest novelty. We can’t have it both ways. Either security teams continue to exist, work closely with the product and operations teams, and grow proportional to the teams they support, or we build the kind of products that allow security teams to assess what’s happening at scale, augmenting developers with expert systems that enable them to access the knowledge to design and build secure systems from the get-go. We must stop papering over issues and make the right thing the easy thing.