惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
罗磊的独立博客
F
Fortinet All Blogs
人人都是产品经理
人人都是产品经理
量子位
V
Visual Studio Blog
Blog — PlanetScale
Blog — PlanetScale
M
MIT News - Artificial intelligence
B
Blog RSS Feed
腾讯CDC
博客园_首页
aimingoo的专栏
aimingoo的专栏
博客园 - 三生石上(FineUI控件)
博客园 - Franky
S
SegmentFault 最新的问题
N
Netflix TechBlog - Medium
小众软件
小众软件
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LINUX DO - 热门话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Martin Fowler
Martin Fowler
D
Docker
P
Privacy & Cybersecurity Law Blog
S
Securelist
V
V2EX
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
The Hacker News
The Hacker News
Microsoft Azure Blog
Microsoft Azure Blog
AWS News Blog
AWS News Blog
The GitHub Blog
The GitHub Blog
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
Help Net Security
Help Net Security
酷 壳 – CoolShell
酷 壳 – CoolShell
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 叶小钗
Recent Announcements
Recent Announcements
Cloudbric
Cloudbric
Y
Y Combinator Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
V2EX - 技术
V2EX - 技术

Latest news

How to qualify for Apple's education discount - and get a $499 MacBook Neo for school T-Mobile will give you a Samsung Galaxy Watch 8 for free - how to get yours Verizon will give you a free iPad or Apple Watch with your next iPhone - how the deal works The best laptops of 2026: Expert tested and reviewed I hid 4 Bluetooth trackers (including AirTags) to test their reliability - here's how Android rivals compared I stopped using my iPhone's hotspot after testing this 5G router - and that won't change The best Kindles in 2026: Expert recommended Does Best Buy price match? Everything to know about matching prices online and in-store The best WordPress hosting services of 2026: Expert tested and reviewed The best Apple Watch of 2026: Expert tested and reviewed The best TV screen cleaners of 2026: Expert recommended The best 50-inch TVs of 2026: Expert tested I traded my Sonos Era 300 for Denon's new home speaker - and see no reason to go back AI-powered website builders have come a long way - here's your best option in 2026 Amazon just slashed $250 off the Google Pixel 10 - and a Prime subscription isn't required I found the apps slowing down my PC - how to kill the biggest memory hogs These companies are actually upskilling their workers for AI - here's how they do it Verizon will give you Meta Ray-Bans for free with this Fios Internet deal - how to get yours I tried the new Gemini app for Mac - it has one major advantage over the web version How Google's updated AI Mode will ease your tab clutter when you search Why this MagSafe battery pack is our readers' favorite model right now - especially at its price T-Mobile will give you a Google Pixel 10a for free - plus an extra gift OpenAI's Codex Desktop can run your computer now - and has its own browser Want to build a startup that gets acquired? This founder shares 5 proven tips Google to pay $135M settlement to Android phone users - how to claim your share if you qualify Want to stand out on LinkedIn? Try this career strategist's top 3 tips for strengthening your profile I've used Dell's new XPS 16 for a week, and it's the Windows laptop to beat in 2026 You can get 50% off YouTube Premium for 1 year right now - but the deal ends soon Tidal vs. Qobuz: I tried both hi-res streaming services, and they couldn't be more different This stroller turns into a carry on-suitcase, and I recommend it for traveling parents The best small business VoIP providers of 2026: Expert tested and reviewed Protect your devices with our pick for the best antivirus software, now over 60% off MacBook Neo vs. Surface: Why spiraling RAM prices are bruising Microsoft's PC business but not Apple's I tried Google's new desktop app for Windows, and I'll never search the old way again Microsoft's Windows 11 laptop deal for students comes with a $500 bonus - what's included You can buy an LG B5 OLED for $1,500 off at Best Buy - and it comes with a free 4K TV Why Zorin OS 18.1 is simply the best Linux distro - for anyone Why Netgear just got the first FCC router ban exemption in the US Microsoft's latest Windows update now confirms if your PC is Secure Boot-protected - how it works Can this $70 Linux app make up for the lack of Photoshop? I tried it to find out 'Like handing out the blueprint to a bank vault': Why AI led one company to abandon open source iPhone charging slowly? 6 quick fixes to try before blaming your battery Roku TV vs. Fire Stick: Why I'm looking beyond streaming resolution when comparing the two AI is getting better at your job, but you have time to adjust, according to MIT The best internal communication tools of 2026: Expert tested and reviewed Half of all US employees use AI at work now - and waste almost 8 hours a week doing it The latest Google Home update brings Gemini fixes that I'm actually excited to try again This simple email trick saves me from annoying marketing spam (and it's free to do) I've been subscribed to a data removal service a month now - what I wish I knew sooner I love Sony's new Bluetooth turntable, so why do I feel so conflicted using it Is your Pixel battery draining faster lately? These 4 temporary fixes helped me You can use Linux 7.0 on these 7 distros today - here's what to expect Chrome's new 'Skills' update lets you save AI prompts now - for one-click reuse How I share audio from my Android phone to multiple earbuds (and why it's a big deal) How to use Google Messages' new Trash feature to recover texts you accidentally deleted Why the Apple Watch's 20-minute calibration test is worth your time - especially if you're data curious I tested every 'allergy-friendly' smart home gadget - these 6 actually keep the pollen out Meta is selling refurbished Ray-Bans for as low as $197 right now - but they're going fast Setting a MagSafe charger on my nightstand was the iPhone upgrade I didn't know I needed I swapped my Sony WH-1000XM6 for lower-end JBL headphones, and they still sounded great I tested ChatGPT Plus vs. Gemini Pro to see which is better - and if it's worth switching I used the 'Plus Five' rule to fix my iPhone's slow wireless charging - here's how it works The new rules for AI-assisted code in the Linux kernel: What every dev needs to know 'Job seekers have to be detectives': 3 signs that listing is a scam How the latest Netrunner distro delivers a Linux productivity powerhouse This Linux distro offers an easy DNS switcher - but there's more to it that I like I tested Artix Linux: An enjoyable systemd-free distro for experienced users (and ChromeOS speeds) I spent two years testing wind power at home - here's why solar is still my preferred source I camera-tested the Samsung Galaxy S26 Ultra with Oppo and Xiaomi - this model won it for me How I boosted my portable solar panels' power by up to 30% - 11 expert-approved tips I see why Ubuntu 26.04 is more than just a performance bump for thrill-seeking gamers France is ditching Windows for digital sovereignty - and its new Linux stack is taking shape As an Android user, this MagSafe wallet is the clearest reason why Qi2 magnets shouldn't be ignored The best Zoom alternatives in 2026: Expert tested and reviewed KDE Linux is the purest form of Plasma I've used in months - but there's a catch How I disabled 'fast startup' on my Windows 11 laptop to stop overnight battery drain 30 years later, I returned to Enlightenment Linux to test the Elive beta - and it's much better Here's my favorite email trick for cleaning up inbox clutter - automatically The $30 Google TV stick may be the budget Chromecast successor we've been waiting for The best AR and MR glasses in 2026: Expert tested and reviewed This handy electric screwdriver is now 50% off - here's where to snag the deal This Ryobi yard essentials bundle packs a free power tool - how to get yours After trying these boomless headphones in the office, I'm feeling hopeful for the future of work tech I used this EcoFlow battery to run my 3,000-sq-ft home in a blackout - here's how it kept my AC on Microsoft's Windows Insider Program is no longer a confusing mess Forget Shokz: I tried the Suunto Spark earbuds for a month, and they've sold me on air conduction iOS 26.4 brings essential upgrades to your iPhone - including a vital security fix YouTube Premium is getting a price increase in June - but you can save $32 with one change Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now I walked 3,000 steps with my Apple Watch, Google Pixel, and Oura Ring - this tracker was most accurate I stopped guessing which AA batteries are dead - this charging station keeps them in check for me My favorite Android Auto find is these hidden shortcuts that are highly customizable AirDrop is coming to older Samsung phones - is yours supported? How to get it early I'm no longer using Google Photos as just a cloud storage - 5 tools that elevate the app The best data removal services of 2026: Expert tested and reviewed The best Samsung TVs of 2026: Expert tested and reviewed The best mobile scanning apps of 2026: Expert tested and reviewed The best HP laptops of 2026: Expert tested and reviewed After using Lenovo's new Yoga laptop, I'm wondering if Windows makers are running out of ideas Samsung S95H vs. Samsung S95F: I compared the OLED TVs and wasn't prepared for the upset
Stopping bugs before they ship: The shift to preventative security
Written by · 2026-05-11 · via Latest news
stopping-bugs-before-they-ship-the-shift-to-preventative-security
Tharon Green/ZDNET/Getty Images

Follow ZDNET: Add us as a preferred source on Google.


ZDNET's key takeaways

  • Secure software needs to begin before coding.
  • Threat modeling helps teams catch risky assumptions early.
  • Dependency hygiene can prevent hidden supply chain risks.

Software has a lifecycle. From the spark of an idea through coding, testing, deployment, customer use, and eventual revision or retirement, each line, module, and component becomes more entrenched, more solidified as part of the overall solution, and therefore much harder to fix if problems arise later. Yet, we often fix software solely based on late-stage usage. In this article, we'll discuss proactive strategies to prevent flaws from reaching production before deployment.

Two terms are key to this approach: secure-at-the-source and secure-by-design. Both terms refer to the process of building security and reliability into code at the earliest stage of the software lifecycle. We'll focus on how security can be designed into all phases, from requirements and design through coding, dependency selection, build pipelines, deployment, and maintenance.

Also: The best zero trust security platforms: Secure your network perimeters with fast, secure access controls

This approach requires a mindset shift through the lifecycle. Before we might have asked, "How quickly can we find and fix what went wrong?" That's still a valid question. But we're looking at asking another question much earlier: "Where are risks entering our development process, and what can we change in our designs, tools, templates, dependencies, and reviews so fewer of them reach code in the first place?"

Prevention starts before code

Coding always starts with a vision of the result desired. This process sparks a design stage, where designers and coders (sometimes the same person or people) work out how to approach the coding process. It's here, before the first line of code is written, that vulnerabilities start to manifest.

Also: What is antivirus software and do you still need it in 2026?

That situation arises because design decisions impact implementation. While working through the design, consider these factors carefully:

  • Trust boundaries: Weakly defined boundaries between users, services, networks, or systems can mean that one compromised area affects parts of the application that should have been isolated.
  • Identity: If the system doesn't reliably know who or what is making a request, every downstream security decision becomes questionable.
  • Authorization: If the architecture does not consistently enforce what each user or service is allowed to do, attackers may gain access to actions or data they should not have.
  • Data exposure: If sensitive data flows through too many systems, logs, APIs, or client-side components, it becomes easier to leak or misuse.
  • Logging: If logging is missing, excessive, or poorly designed, teams may either miss attacks or accidentally store sensitive information where it does not belong.
  • Failure modes: If the system fails while data is open, leaks details during errors, or behaves unpredictably under stress, outages and attacks can turn into security incidents.

We've all heard the phrase, "What could possibly go wrong?" It's usually said after some audacious and potentially unwise plan is proposed. 

But if you turn that phrase around and ask "What could possibly go wrong?" with serious intent, you can start to do threat modeling on your software. Other questions you can ask before committing to a design include: Who will use this system? What data will it touch? What services will it trust? What nefarious behaviors could an attacker try? What would happen if one part failed or was compromised?

Also: 10 ways AI can inflict unprecedented damage in 2026

Thinking through design decisions early, with threat and security issues top of mind, can help you catch risky assumptions early, while the design is still flexible. Then your team can make safer choices before those choices become expensive code, production dependencies, or customer-facing weaknesses.

Before you start coding, think about what "safe enough" means. Pre-planning security considerations means factoring authentication, authorization, encryption, auditability, data retention, abuse cases, and recovery behavior into your design from the beginning.

Also: Nearly half of cybersecurity pros want to quit - here's why

CISA (Cybersecurity and Infrastructure Security Agency) is America's primary cyberdefense agency. CISA is promoting a Secure by Design strategy, in which vendors build cybersecurity into the design and manufacture of technology products.

According to CISA, "Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature."

If you're interested in this approach (and you really should be), I recommend reading CISA's detailed document on the strategy.

Prevention continues inside the developer workflow

I remember the day, decades back, when editors morphed into interactive development environments (IDEs) and became true helpers. The feature was the symbolic debugger, which allowed you to trace code flows, inspect variables, and install breakpoints. IDEs instantly improved my code quality because I could monitor every variable continually, and see what was changing and when.

Since then, IDEs have improved continuously. At some point, developers added features to monitor your code as you write it, flagging errors as you type. For you non-programmers, this feature is like when the spellchecker in your word processor shows those squiggly lines under words, but for entire sections of code.

Also: These 4 critical AI vulnerabilities are being exploited faster than defenders can respond

Despite the hype around vibe coding, humans will continue to write code. Maybe not all of it, and maybe not all coders, but there will still be experienced developers who create code line by line. For those developers, secure-at-the-source means that the IDE should be able to flag security issues as much as syntax issues, while the code is being written.

Other secure-at-the-source additions to the developer workflow include checks in pull requests before merging, dependency alerts in repositories, secrets detection before commits become incidents, automated tests in CI/CD pipelines, safer package guidance when choosing libraries, issue tracking that connects findings to real work, and deployment checks that prevent risky changes from reaching production unnoticed.

Just this year, Amazon (a firm that should clearly know better) pushed a code change that blocked customers from checking out, looking at products, and accessing their accounts. As much as some of us would prefer this to happen more often to keep us from sending Bezos all our bucks, the fact is that a mere deployment error cost Amazon millions. That pricey oopsie showcases the cost of not catching errors and vulnerabilities before you ship.

Somewhere in the deployment process, Amazon didn't use preventative security measures. Its guardrails (assuming it had them) didn't work.

As part of the development process, programmers and programming teams can help secure their output by starting with established secure coding patterns. Using approved frameworks, reusable authentication and authorization libraries, safe defaults, secure templates, and platform services provides a standardized basis for code where developers don't have to choose implementation patterns for every module.

Also: 10 ways AI can inflict unprecedented damage in 2026

The National Institute of Standards and Technology (NIST), a non-regulatory US federal agency within the Department of Commerce, has suggested a framework for "mitigating the risk of software vulnerabilities." NIST SP 800-218 proposes software development lifecycle best practices that can reduce vulnerabilities. Some of these practices include:

  • Prepare the organization: Define roles, standards, training, and secure workflows.
  • Define security requirements: Make security expectations explicit before development.
  • Use secure defaults: Reduce risky choices that developers must make manually.
  • Secure development environments: Protect tools, repositories, pipelines, and credentials.
  • Review source code: Catch design and implementation weaknesses early.
  • Test executable code: Use dynamic testing, fuzzing, and runtime checks.
  • Protect software integrity: Verify artifacts, provenance, and release authenticity.
  • Analyze vulnerabilities: Understand root causes, not just individual bugs.

The NIST guidelines also recommend tracking, evaluating, and updating dependencies. We'll talk about this in-depth next.

Managing supply chain risk

Over the past few years, we've all become intimately familiar with what happens when a supply chain becomes interrupted. We all remember The Great Toilet Paper Shortage of 2020, for example. Supply chain is a term that describes how something, such as toilet paper, moves from raw materials to manufacturing, then to shipping, and finally to distribution and consumption.

Software development also has a supply chain, although our term of art is "dependencies." Nobody writes all the code in a product or service. Instead, most of what happens is built of software building blocks written by other companies or open-source developers. Those building blocks are, themselves, often composed of other building blocks, modules that do almost everything that happens behind the scenes.

Also: AI is quietly poisoning itself and pushing models toward collapse - but there's a cure

The problem is that these building blocks, in the form of open-source libraries, containers, APIs, build tools, SaaS components, and AI-generated code, can all introduce vulnerabilities and flaws in the final solution.

Sometimes, malicious actors will submit changes to open-source tools that core developers miss. Other times, simple coding mistakes can lead to vulnerabilities. The thing is, these dependencies are black boxes to most developers. Worse, they're moving targets. As they get updated, those updates are included in production software. This step means a dependency that was once perfectly safe can be compromised in a later update.

Think about it this way. While your code might have vulnerabilities, unless it's widely used, those vulnerabilities might take some time for threatening players to discover. But those dependencies? Those vulnerabilities are widely known, often sold on illicit marketplaces. The easiest way for your software to become vulnerable is to rely on vulnerable software.

Also: 5 security tactics your business can't get wrong in the age of AI - and why they're critical

All of this interaction means that there needs to be a strong push for dependency hygiene. As part of your integration and approval process, make sure you choose verifiably maintained packages, lock in known versions, review transitive dependencies, monitor known vulnerabilities, and avoid libraries with weak maintenance, suspicious ownership changes, or poor security signals.

If this means swapping out dependencies or choosing different suppliers, the benefits very much outweigh any supply chain switching costs.

Reducing reactive security

Responding to a security or software emergency sucks. You can feel your pulse rate skyrocket when, two sips into your first cup of coffee, an email or notification describes how everything has just blown up. It's even worse when this issue happens in the middle of the night.

Designing and delivering software built to be secure can reduce those stress bumps. This approach can also reduce your organization's overall liability, reduce bad press, and increase customer confidence.

Implementing a design change before release will undoubtedly be cheaper and less painful than production incidents, customer notifications, urgent hotfixes, or compensating-control workarounds.

This shift is a cultural change. Secure-at-the-source makes development quality a core practice in design and coding. Security has to be part of how software is written. Don't wait until after everything is coded and built to find out what needs to be recoded and rebuilt. And definitely, if at all possible, don't wait until you have angry customers screaming at you (ask me how I know) when something they rely upon breaks down horribly.

Your stomach acid (or lack thereof) will thank you.

Would your developers welcome security guardrails in their daily workflow or see them as another layer of friction? Let us know in the comments below.


You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.

Featured