The technology industry’s long-standing mantra to innovate at breakneck speed, once the celebrated engine of unprecedented growth and disruption, has now revealed its profound and dangerous downside in an increasingly interconnected digital world. This philosophy, which for nearly two decades prioritized rapid deployment over meticulous engineering, has cultivated a development culture where security is often treated as an afterthought rather than a foundational principle. The result is a global ecosystem littered with poorly designed, vulnerable applications, services, and devices. These digital “broken things” are no longer mere inconveniences; they are gaping entry points for sophisticated cybercriminals and hostile nation-state actors. As the consequences escalate from financial loss to threats against critical infrastructure, it becomes clear that this reckless era must conclude, making way for a new, more responsible guiding principle: “Make Smart and Safe Things.”
The High Cost of Relentless Speed
The core conflict of the “move fast” culture lies in its direct opposition to the fundamental requirements of cybersecurity, creating a tension where the race to release new features consistently sidelines robust security protocols. This has led to the widespread proliferation of exploitable software, turning a theoretical risk into a tangible and devastating reality. The consequences are starkly illustrated by recent campaigns from state-sponsored threat actors. For instance, China-backed Advanced Persistent Threat (APT) groups have successfully targeted both known and zero-day vulnerabilities in widely used enterprise software, including Microsoft SharePoint and Ivanti VPN devices. These methodical attacks have compromised hundreds of global organizations, ranging from multinational corporations to critical U.S. federal agencies and essential infrastructure operators, demonstrating that the pursuit of speed has left critical systems dangerously exposed to determined adversaries who are adept at finding and weaponizing these inherent weaknesses.
This relentless pace of development also exacerbates two critical and overarching trends in the modern cyberthreat landscape. The first is the persistent exploitation of “code rot”—the inevitable decay of older, unmaintained code that often harbors severe and unpatched security flaws. The second, and arguably more pressing, trend is the strategic targeting of large, complex cloud platforms through their weakest and least-monitored links, such as vulnerable third-party integrations, insecure software dependencies, and poorly managed Application Programming Interfaces (APIs). A prime example is the breach involving the threat actor UNC6395, which targeted Salesforce customers by first compromising a third-party application, Salesloft Drift. By stealing authentication tokens from this weaker link, the attackers were able to exfiltrate vast amounts of sensitive data from numerous Salesforce instances, a powerful demonstration of how the deep interconnectedness of modern software creates new and complex attack vectors that bypass traditional perimeter defenses.
The Software Supply Chain as the New Battleground
In this heightened threat environment, the software supply chain itself has emerged as a primary battleground, fundamentally challenging the dangerously outdated assumption that software suppliers are inherently trustworthy and their products are secure by default. In an era where development cycles have shrunk from months or years to mere hours or even seconds, this implicit trust is not only misplaced but also reckless. The recent Trust Wallet breach vividly illustrates this supply chain risk. In that incident, hackers leveraged a worm to steal developers’ GitHub credentials, which provided them with privileged access. With this, they bypassed all of Trust Wallet’s internal security reviews by using the company’s own API key to upload a malicious version of its browser extension directly to the Google Chrome Web Store. By compromising these “pre-blessed” and trusted distribution channels, attackers can efficiently scale their operations and infiltrate countless sensitive environments, proving that traditional security measures are often blind to sophisticated tampering occurring deep within the supply chain.
The infamous attacks on SolarWinds and 3CX further underscore the finding that conventional security measures are frequently insufficient to detect sophisticated tampering within the development pipeline. These incidents revealed that determined adversaries can infiltrate the build process, embedding malicious code into legitimate software updates that are then distributed to thousands of unsuspecting customers. This tactic effectively turns trusted vendors into unwilling distributors of malware, leveraging their reputation to bypass security defenses. The core issue is that traditional security tools are often designed to inspect source code or monitor network behavior, but they can miss malicious alterations made to compiled binaries just before release. In a world of rapid, automated deployments through CI/CD pipelines, the window for such an attack is fleeting, yet the potential damage is immense. The reliance on the integrity of third-party code, without independent verification, has created a systemic vulnerability across the entire technology sector.
Charting a New Course for Secure Development
The technology industry has reached a critical inflection point where the cumulative risks associated with the “move fast and break things” philosophy now far outweigh its perceived benefits in innovation speed. As software becomes inextricably embedded in every facet of modern life—from corporate databases and financial systems to home appliances and public utilities—vendors face mounting pressure from both market demands and regulatory bodies to prioritize security. The path forward requires a fundamental paradigm shift, encapsulated by the new mandate to “Make Smart and Safe Things.” While traditional application security testing tools like SAST, DAST, and SCA remain valuable components of a security program, they are no longer enough to counter modern supply chain threats. To truly secure their products, vendors must go a step further by implementing rigorous testing of compiled binaries before they are released. This crucial, final check can detect malicious code or tampering that occurs late in the development cycle, specifically designed to evade standard source-code-level security tools.
Ultimately, this transition required software publishers to elevate code quality, security, and transparency to the level of core business priorities, on par with feature development and market expansion. This involved setting ambitious “zero vulnerability” goals to actively combat the persistent problem of code rot and systematically address known vulnerabilities in older software modules and third-party dependencies. Furthermore, the industry moved toward radical transparency through the comprehensive publication of various bills of materials. This included Software Bills of Materials (SBOMs), Machine Learning Bills of Materials (MLBOMs), and Software-as-a-Service Bills of Materials (SaaSBOMs). By providing customers with a detailed and verifiable inventory of every component within their software, organizations were empowered to better assess risks and respond more effectively to attacks. This evolution was not merely a technical adjustment; it was a profound commitment to building secure and resilient technology, ensuring that future advancement would not come at the cost of customer safety and digital trust.
