Security by Design: why it is essential in 2026

Security by Design represents a fundamental methodology whereby security safeguards must be embedded throughout the software development lifecycle from inception, rather than implemented as a post-hoc addition.

By 2026, this paradigm is no longer discretionary. The exponential proliferation of vulnerabilities, cyberattacks, and data breaches has unequivocally demonstrated that reactive remediation is insufficient for ensuring robust protection of critical systems and sensitive data.

Security by Design: debunking common myths

Despite its growing adoption, Security by Design remains frequently misunderstood. In particular:

• it is often conflated with secure coding practices alone;
• it is commonly regarded as the exclusive responsibility of developers.

In reality, security constitutes a collective responsibility that encompasses all organizational stakeholders. Not merely developers, but equally software architects, management, Product Owners, and dedicated security teams.

Without a comprehensive, cross-functional approach, any security strategy remains fundamentally incomplete.

The proliferation of vulnerabilities: an unsustainable trend

Since 2016, the number of discovered and publicly disclosed vulnerabilities has experienced exponential growth.

• By 2025, approximately 50,000 vulnerabilities had been formally registered.
• By 2026, the threshold of 100,000 could potentially be reached.

This increase is not only quantitative but also qualitative: many vulnerabilities are not analyzed in depth. The organizations entrusted with their classification and remediation can no longer sustain the requisite pace.

The consequence? An increasing number of vulnerabilities remain exploitable for extended periods, thereby compounding overall risk exposure.

[Source: Jerry Gamblin / CVE.ICU (1999–2025 actuals); FIRST 2026 Vulnerability Forecast (2026 projection)]

The issue: The NIST update of April 15, 2026, and how it affects their management of the NVD

On April 15, 2026 – one week prior to this article’s publication – NIST published a significant update announcing a fundamental shift in its operational approach to managing the National Vulnerability Database (NVD) in response to the unprecedented surge in vulnerability submissions (Common Vulnerabilities and Exposures, or CVE).

In this update, they report that the number of CVEs has increased by +263% between 2020 and 2025. Even with increased productivity (approximately 42,000 CVEs analyzed in 2025), NIST can no longer keep up.

In the past, NIST attempted to analyze all vulnerabilities; now it is shifting to a priority/risk-based model: all vulnerabilities will continue to be listed, but not all will be analyzed in detail. NIST is therefore abandoning the idea of analyzing everything and moving to a selective approach, including vulnerabilities that have fallen behind.

The role of artificial intelligence in cybersecurity

Artificial intelligence is further accelerating this trend:

• it increases the amount of code produced;
• it potentially increases the number of vulnerabilities.

On the other hand:

• it makes vulnerability discovery more efficient:
• it brings to light a growing number of security issues.

Security researchers can improve the speed and quality of their analyses, but they cannot reduce the number of vulnerabilities generated. Who can truly do that? Software developers, by adopting secure development practices and preventing problems at their root.

The real obstacle to Security by Design: a cultural issue

The main barrier to the widespread adoption of the Security by Design approach is not technological, but cultural.

The gap between cybersecurity and software development concerns:

• processes;
• business priorities;
• communication between teams;
• organisational mindset.

Technical training alone is not enough. A more profound change is needed, one that involves the entire organisation.

Why the current model is no longer sustainable

According to Betrusted’s experience:

• the current model is no longer sustainable;
• treating security as an afterthought increases risks and costs;
• security must be integrated into decision-making processes from the outset.

Security by Design is not just a best practice: it is a strategic requirement for the long-term sustainability of software.

How to implement Security by Design across different roles

Developers

With the increasing use of AI, the role of developers is evolving more and more towards “continuous secure code review”, which involves best practices for each of the three main phases:

• Design: write code with an awareness of the associated risks.
• Development: apply secure coding principles systematically.
• Testing: integrate basic security tests on a par with functional tests.

DevOps

The DevOps team is crucial to making security scalable and automated. As with developers, this team should also adopt best practices:

• Testing: integrate security testing into CI/CD pipelines.
• Infrastructure: configure automated code analysis tools (e.g. SAST, SCA).

Product owners, delivery managers, scrum masters & co.

Coordination roles have a direct impact on the actual implementation of Security by Design. Their key responsibilities should be:

• ensuring time and resources are allocated for secure development;
• incorporating security into planning and design;
• preventing security from being sacrificed to speed up deliveries.

Security by Design: security as a strategic lever

Security by Design represents a paradigm shift: from an additional cost to a strategic lever. Integrating security from the outset means:

• reducing the number of vulnerabilities;
• lowering remediation costs;
• improving software resilience.

In a context where vulnerabilities are growing faster than our ability to manage them, designing secure software is no longer a choice. It is a necessity.

Contact us at info@betrusted.it and we will help your organisation integrate security right from the earliest stages of software design.