SAN FRANCISCO - After five decades of cybersecurity evolution, attackers are still winning more often than defenders — and the clock is ticking to change that.
That was the urgent warning from Veracode founder Chris Wysopal and Columbia University’s Jason Healey during their RSA Conference 2025 talk, “Secure by Design: Are We Winning?” Spoiler: Not yet.
“None of the known red team efforts have ever failed,” Wysopal reminded the audience, citing chilling assessments that date all the way back to 1972. “Even today, contemporary controls often can’t stop attackers from walking right in.”
The two experts didn’t just rehash the usual cybersecurity horror stories. Instead, they presented fresh data showing measurable improvements in software security — including real-world declines in vulnerability exploitability and significant gains in secure coding practices. But progress remains fragile, threatened by accelerating software development cycles, persistent security debt, and the emerging double-edged impact of AI.
The core problem hasn’t changed: the internet — and the software that runs on it — was never built with security in mind. Global connectivity, insecure software by default, and cascading failure risks have combined to hand attackers a systemic advantage that even sophisticated defenders struggle to overcome.
Healey added, “The idea that the attacker only has to be right once dramatically understates the scale of the problem. Our systems are so interconnected that one miss can cascade into a disaster.”
Still, Wysopal and Healey insisted hope is not lost. They pointed to national cybersecurity strategies from 2023 and 2024 that set a new goal: tip the balance toward defenders by baking security into the very foundations of digital infrastructure.
There are green shoots: Veracode’s latest State of Software Security report showed a remarkable jump in the percentage of applications passing the OWASP Top 10 vulnerability checks — from 32% in 2020 to 52% in 2025.
Healey underscored an even more encouraging signal. “The reduction in exploitability of CVEs is real — and it’s evidence that all of us are doing better, not just isolated companies,” he said.
According to data, the proportion of high-severity vulnerabilities deemed "likely exploitable" by the Exploit Prediction Scoring System (EPSS) has dropped steadily from 3.7% to 2.7% over the past five years.
“Velocity has gotten so fast that people are just not fixing the vulnerabilities they know about,” Wysopal warned. “They’re prioritizing new features over security fixes.”
Wysopal reminded session attendees of the concept of software security debt: “If you haven’t fixed a vulnerability in over a year, that's software security debt. About half of organizations have it.”
Even more concerning, Wysopal revealed that while most flaws reside in first-party code, the most critical unfixed vulnerabilities are increasingly buried in third-party open-source components — often hidden inside transitive dependencies.
Adding to the challenge: size matters. Cobalt and Veracode data show larger organizations are consistently slower at fixing serious issues, often taking over a month longer than their smaller counterparts.
Wysopal cautioned that AI tools are already accelerating code creation — but not necessarily making it safer. “AI writes code that is slightly worse than humans when it comes to security. And if AI boosts developer productivity by 50%, you’re producing 50% more vulnerabilities unless you change how you fix flaws.”
However, AI could also become the solution to the problem it’s helping create. “I really think that generative AI-based fixing of code — auto-remediation — is the only solution,” Wysopal said.
Healey framed it optimistically: “It should be easier to get a few AIs coding securely than it is to train a million developers.” The idea: if AI can be trained on secure code patterns, it could one day close the remediation gap faster than traditional methods ever could.
Both speakers stressed that winning the Secure by Design battle will require more than just better technology — it demands transparency and accountability. Wysopal championed the idea of mandatory software attestation, modeled after manufacturing quality control. “Software used to be a black box. Now, with attestation forms, customers can finally demand proof of how secure software was built.”
At the same time, Wysopal emphasized that security must be built into software development timelines — not treated as an afterthought. “You need to embed security into the ‘definition of done’ in software development,” he said. “Otherwise it always looks like security is slowing you down.”
Their final message was clear: defenders can still win — but only if they measure progress, close feedback loops faster, invest in fixing vulnerabilities proactively, and hold each other accountable.
Healey left the audience on a positive note: “We can fix the problem we inherited from our grandparents. We're finally seeing the returns on decades of defensive investment.”
Wysopal agreed and encouraged cybersecurity leaders to stop thinking like pessimists and start acting like builders. “We’ve crossed the 50% mark. More than half of applications are now free of OWASP Top 10 flaws. That’s a glass half full — and rising,” he said.
Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.
On-premises SysAid IT support software instances have been impacted by a trio of XML External Entity injection vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777.
Initial access through a public Cisco Adaptive Security Appliance allowed Play ransomware attackers to deploy both the Grixba information-stealing payload and CVE-2025-29824 exploit.
