I love this post by Tiexin Guo. He’s spot on about how we need to approach security in the modern software development era. As he points out, the “old way” of tacking security on “at the end” of a project is just not viable. Likewise, doing it manually with hands-on-keyboard testing won’t cut it.

Today’s software architectures are too complex. The “old way” might have worked well enough for single-server monoliths where everything was self contained. Today there’s just too many disparate and fast-moving parts to be successful with a dated security model. Instead of a single language, a single database, and a single front-end we’ve got multi-cloud distributed deployments, often dozens of components and sometimes even a dozen languages and scripting dialects — all in a single application.

Teams are bigger today, too — an expected consequence of emerging complexity. A small team of 20-30 people in the 90’s has today morphed into a much more distributed, loosely associated group. That 30 p…