Main Stage: Let Me Tell You a Story: Technology and the 4 Vs

The cybersecurity industry faces a software quality problem rather than a cybersecurity problem - we need more secure products, not more security products

Common vulnerabilities like memory safety violations, cross-site scripting, and SQL injection have persisted for decades, showing a systematic disregard for secure development

Technology vendors have normalized creating defective, insecure software by prioritizing speed to market and features over security

The Secure by Design initiative aims to transform the industry by having vendors commit to secure development practices, with nearly 200 companies now signed to the pledge

Organizations that procure software should demand more from vendors through their purchasing power and by asking security-focused questions during acquisition

Unlike other industries that track and reduce defects, the software industry has accepted vulnerabilities as inevitable rather than treating them as product defects

The industry must move away from victim-blaming (e.g., “they didn’t patch”) and focus on vendor responsibility for secure product development

Contract language for software puts all risk on customers - a practice that wouldn’t be accepted in other industries like aviation or automotive

Secure development frameworks and memory-safe programming languages can help eliminate entire classes of vulnerabilities

Success requires both supply-side (vendor) and demand-side (customer) commitment to security, along with potential software liability standards