Why are we still here?: For all the industry talk about development practices, threat modelling, and DevSecOps, the same root causes keep surfacing with surprising regularity. “Developing code without vulnerabilities, weaknesses, and shortcomings is hard,” Sampson said. “Despite advances in tooling, doing a quick fix that you promise to revisit later has less friction than trying to get everything right the first time.”Norton described it as an organizational mindset problem: “There’s still a cultural disconnect. Developers may lack the training, time, or tools to consistently apply secure practices, while security teams may not be equipped to provide timely, context-aware guidance. Security isn’t always embedded, it’s tacked on.”And then there’s AI. “AI-assisted code generation is often trained on imperfect, flawed code in the wild,” warned Carielli. “It’s not going to magically generate secure code unless we scan it and integrate it into a robust DevSecOps process.”Sampson agreed. “AI for code generation and AI for enforcing secure defaults are different solutions, but we often assume they’re the same.”Vendors, meanwhile, face few incentives to re-audit aging systems, particularly when those systems are technically “out of support” but still widely deployed. This results in a patchwork of vulnerable endpoints lurking in networks, years after their manufacturers have moved on.
Infrastructure is stuck in the past: These recurring failures often stem from what might be called the infrastructure catch-up problem. Devices like printers, routers, and wireless controllers are still being deployed with embedded security models that haven’t fundamentally changed since the early 2000s. Once installed in enterprise environments, these devices are rarely patchedpartly due to operational complexity, and partly because patching is simply not prioritized.In parallel, large organizations are layering next-gen tools on top of brittle legacy systems. While developers race to integrate AI and microservices, the underlying platforms are full of old code, default configurations, and forgotten modules.”There’s a belief in some quarters that ‘it won’t happen to us’a kind of security by obscurity,” said Sampson. “But legacy foundations remain a critical root cause across the board.” What must CISOs do?: So what can security leaders do when the same foundational issues keep cropping up? The answer lies not in waiting for silver bullets but in recommitting to basic, deliberate action, experts say. Carreili recommends embedding tools directly into the pipeline. “Incorporate code scanning tools like SAST and SCA into the dev pipeline, and make sure that findings are triaged so teams can focus on the most impactful issues.”Norton emphasized automation that helps developers fix issues, not just find them. “Invest in tools that provide context-specific secure code suggestions AI can help scale security if it’s tuned for remediation, not just detection.”And Sampson, with a nod to developer UX, said, “We need the coding equivalent of Grammarly.” It’s also time to rethink secure-by-design. All three experts noted that the current gap is not due to apathy, but scale, complexity, and a lack of alignment. “Secure by design is a continuum, not a one-stop shop,” Sampson said. “Practices have to mature within the organizational culture, or they don’t stick.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4025516/from-hardcoded-credentials-to-auth-gone-wrong-old-bugs-continue-to-break-modern-systems.html
