It’s Not Just Hackers: Insecure Software is Fuelling Cybersecurity Risks
When cyberattacks make headlines, the focus usually lands on hackers exploiting vulnerabilities to breach systems. While cybercriminals play a clear role, we often overlook another core issue: insecure software. Many breaches aren’t just the result of malicious intent but are enabled by developers and vendors who prioritise speed and cost over secure coding practices.
Hackers, in truth, are opportunists who exploit weak code. Insecure software—whether due to rushed development or lack of secure coding practices—leaves the doors wide open for them. But the truth is, if software providers consistently adhered to security-first principles and were held accountable, many vulnerabilities would be avoided altogether.
The Real Cybersecurity Crisis
Users, often lacking technical knowledge, tend to accept software with hidden risks, trusting that vendors are supplying safe, reliable products. Yet, this trust is often misplaced as vendors choose rapid deployment over proper security.
Many organisations depend on third-party software for their operations, trusting that vendors will provide secure and reliable code. But this trust is often misplaced.
Many ransomware incidents have stemmed from vulnerabilities introduced by third-party vendors, not the organization directly. Companies that integrate these insecure software solutions into their infrastructure essentially open the door for cybercriminals.
Consider the example from a CISA report at the 2024 RSA conference, where ransomware attacks were highlighted as a direct consequence of weaknesses in supply chain software1.
According to a report from the Center for Internet Security, 60% of all security breaches can be traced back to third-party software. In 2024 alone, 98% of organisations used at least one third-party vendor that had been breached within the past two years2. Despite these statistics, vendors are often slow to detect and disclose vulnerabilities, allowing cybercriminals ample time to exploit them.
It’s clear that while hackers are exploiting these weaknesses, the true fault lies in the insecure software itself.
Security as a Reaction, not a Priority
Though tech giants like Google, Microsoft, and Amazon have recently pledged to prioritize security3, many wonder if these commitments will result in meaningful change. While regulatory pressure is pushing companies to act4, security is still often seen as an afterthought.
This issue originates in the development process itself. Companies, particularly in the fast-paced startup world, often prioritise rapid product releases over security. The “move fast and break things” mindset has flooded the market with vulnerable software, making the risk of attack almost inevitable.
The OWASP (Open Web Application Security Project) has long warned that many of the most exploited vulnerabilities5, such as SQL injection and cross-site scripting, could be easily prevented through secure coding practices. Yet these vulnerabilities persist because security is rarely the priority during the coding process.
Did you know?
A proactive approach to tackling insecure software is DevSecOps—an evolution of DevOps that integrates security directly into every phase of the software development lifecycle. Rather than viewing security as an afterthought, DevSecOps promotes a "shift-left" approach, embedding secure coding practices, automated vulnerability assessments, and compliance checks early in development. By merging development, security, and operations, DevSecOps ensures that security is a shared responsibility, minimizing the risk of insecure code making it to production.
Many of the most exploited vulnerabilities stem from coding errors that could have been easily avoided if proper security measures were in place from the start. But until secure development becomes a core principle, vulnerabilities will persist, creating a recurring opportunity for cyberattacks.
Consequences of Insecure Software
The consequences of insecure software go beyond just successful cyberattacks. There are long-term financial and reputational costs for companies that produce insecure software. Data breaches, regulatory fines, and the loss of customer trust can have devastating effects on a company’s bottom line.
The infamous Equifax breach of 2017, which exposed the sensitive information of 147 million Americans, was the result of a vulnerability in third-party software that went unpatched. This breach could have easily been avoided if proper coding practices and patch management protocols were in place. Equifax ended up paying $700 million in fines, a high cost for a piece of insecure software.
Yet, despite the heavy price tags associated with these breaches, many companies still take a lax approach to secure development. Too often, the focus is on patching vulnerabilities after the fact, rather than ensuring secure development from the outset.
A Shift in Accountability
In the cybersecurity narrative, hackers are often seen as the primary villains. But in many cases, the real problem lies with developers and companies that neglect secure coding practices. Hackers may exploit the vulnerabilities, but it’s the insecure code that allows them to do so.
If a building collapses, we blame the architect and builder, not gravity. The same logic should apply to software: we should focus on creating resilient, secure products from the start rather than blaming hackers for exploiting avoidable weaknesses.
While hackers will always pose a threat, the real cybersecurity crisis lies in the production of insecure software.
It’s not enough to patch vulnerabilities as they arise; we need secure systems built from the ground up. Until we start writing better code and holding vendors accountable for the security of their products, we will continue to see cyberattacks thrive.
Shifting the cybersecurity focus from hackers to software development could lead to lasting change. That means adopting secure coding practices like DevSecOps, investing in robust testing and quality assurance, and holding software development companies accountable for the products they release.