Threat models built on accidental vulnerabilities are no longer sufficient as vulnerabilities are treated as strategic assets and held back for later exploitation. This shift changes what “good enough” security means across the software delivery lifecycle. Pre-deployment scanning has not kept pace with the need to understand what is actually running in production, leaving teams unable to identify exposed versions and configurations when new vulnerabilities emerge. Closing the gap requires stronger SBOM practices that are continuously updated, queryable, and tied to the running environment. Automation can then identify exposed assets quickly, prioritize remediation based on real exploitability, and push fixes downstream with less manual triage. AI introduces both defensive value and new risks such as data poisoning and misuse, requiring shared visibility and accountability across developers, security, and data science with runtime estate visibility.
"The threat model that DevSecOps teams have been working from for the last decade was built around accidental vulnerabilities - mistakes that needed to be found and fixed before someone exploited them. That assumption is breaking. Vulnerabilities are increasingly being treated as strategic assets, stockpiled by nation-states and threat actors and held back from disclosure until they're useful as weapons. That shift changes what "good enough" security looks like across the software delivery lifecycle."
"The industry has spent years investing in pre-deployment scanning and not nearly enough in knowing what's actually running in production. The result is sprawling estates of deployed software where teams can't answer the basic question of which versions, in which configurations, are exposed to a newly disclosed, or quietly hoarded, vulnerability."
"Stronger SBOM practices are the foundation, but only if SBOMs are continuously updated, queryable and tied to the running environment, not parked in a build artifact. From there the conversation moves into automation: using AI-assisted tooling to identify exposed assets fast, prioritize remediation against real exploitability, and push fixes downstream without manual triage at every step."
"AI is now both a tool defenders rely on and a source of new risk - data poisoning, model misuse, autonomous agents acting on stale context. Scarcella and Ragan make the case that this is the moment to break down the wall between developers, security teams and data scientists, with shared visibility, shared accountability and a runtime view of the entire software estate as the connective tissue."
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]