Secure by design? At RSAC 2025, experts warn: We’re not winning yet, but we could

SAN FRANCISCO - After five decades of cybersecurity evolution, attackers are still winning more often than defenders — and the clock is ticking to change that.

That was the urgent warning from Veracode founder Chris Wysopal and Columbia University’s Jason Healey during their RSA Conference 2025 talk, “Secure by Design: Are We Winning?” Spoiler: Not yet.

(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)

“None of the known red team efforts have ever failed,” Wysopal reminded the audience, citing chilling assessments that date all the way back to 1972. “Even today, contemporary controls often can’t stop attackers from walking right in.”

The two experts didn’t just rehash the usual cybersecurity horror stories. Instead, they presented fresh data showing measurable improvements in software security — including real-world declines in vulnerability exploitability and significant gains in secure coding practices. But progress remains fragile, threatened by accelerating software development cycles, persistent security debt, and the emerging double-edged impact of AI.

The core problem hasn’t changed: the internet — and the software that runs on it — was never built with security in mind. Global connectivity, insecure software by default, and cascading failure risks have combined to hand attackers a systemic advantage that even sophisticated defenders struggle to overcome.

Healey added, “The idea that the attacker only has to be right once dramatically understates the scale of the problem. Our systems are so interconnected that one miss can cascade into a disaster.”

Still, Wysopal and Healey insisted hope is not lost. They pointed to national cybersecurity strategies from 2023 and 2024 that set a new goal: tip the balance toward defenders by baking security into the very foundations of digital infrastructure.

Some good news: Data shows real progress

Columbia University’s

Jason Healey

There are green shoots: Veracode’s latest State of Software Security report showed a remarkable jump in the percentage of applications passing the OWASP Top 10 vulnerability checks — from 32% in 2020 to 52% in 2025.

“In just five years, we saw a 20% improvement,” Wysopal said. “That’s more progress than we made in the entire decade before.”

Healey underscored an even more encouraging signal. “The reduction in exploitability of CVEs is real — and it’s evidence that all of us are doing better, not just isolated companies,” he said.

According to data, the proportion of high-severity vulnerabilities deemed "likely exploitable" by the Exploit Prediction Scoring System (EPSS) has dropped steadily from 3.7% to 2.7% over the past five years.

It’s the clearest sign yet that efforts to improve software security at scale are starting to pay off.

But big obstacles remain

Despite improvements in identifying vulnerabilities earlier, fixing them remains a serious bottleneck.

“Velocity has gotten so fast that people are just not fixing the vulnerabilities they know about,” Wysopal warned. “They’re prioritizing new features over security fixes.”

Wysopal reminded session attendees of the concept of software security debt: “If you haven’t fixed a vulnerability in over a year, that's software security debt. About half of organizations have it.”

Even more concerning, Wysopal revealed that while most flaws reside in first-party code, the most critical unfixed vulnerabilities are increasingly buried in third-party open-source components — often hidden inside transitive dependencies.

“Third-party code is causing a real systemic problem,” he said. “You can’t always patch what you didn’t know you pulled in.”

Adding to the challenge: size matters. Cobalt and Veracode data show larger organizations are consistently slower at fixing serious issues, often taking over a month longer than their smaller counterparts.

AI: A double-edged sword for security

Artificial intelligence is reshaping software development — for better and worse.

Wysopal cautioned that AI tools are already accelerating code creation — but not necessarily making it safer. “AI writes code that is slightly worse than humans when it comes to security. And if AI boosts developer productivity by 50%, you’re producing 50% more vulnerabilities unless you change how you fix flaws.”

However, AI could also become the solution to the problem it’s helping create. “I really think that generative AI-based fixing of code — auto-remediation — is the only solution,” Wysopal said.

Healey framed it optimistically: “It should be easier to get a few AIs coding securely than it is to train a million developers.” The idea: if AI can be trained on secure code patterns, it could one day close the remediation gap faster than traditional methods ever could.

Accountability is the next frontier

Both speakers stressed that winning the Secure by Design battle will require more than just better technology — it demands transparency and accountability. Wysopal championed the idea of mandatory software attestation, modeled after manufacturing quality control. “Software used to be a black box. Now, with attestation forms, customers can finally demand proof of how secure software was built.”

At the same time, Wysopal emphasized that security must be built into software development timelines — not treated as an afterthought. “You need to embed security into the ‘definition of done’ in software development,” he said. “Otherwise it always looks like security is slowing you down.”

A call to action: We can fix this

Their final message was clear: defenders can still win — but only if they measure progress, close feedback loops faster, invest in fixing vulnerabilities proactively, and hold each other accountable.

Healey left the audience on a positive note: “We can fix the problem we inherited from our grandparents. We're finally seeing the returns on decades of defensive investment.”

Wysopal agreed and encouraged cybersecurity leaders to stop thinking like pessimists and start acting like builders. “We’ve crossed the 50% mark. More than half of applications are now free of OWASP Top 10 flaws. That’s a glass half full — and rising,” he said.

(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)