The Ripple20 disclosures are a graphic illustration of three truths in software development. First, security must be integrated to every part of software development. From threat modeling during design to automated security testing during implementation, every phase of software development must involve security. Vulnerabilities that escape unnoticed represent serious risk. Finding and fixing more vulnerabilities during development translates directly to lower risk. Second, organisations that create software must manage their third-party components. The main reason for the far-reaching effects of the Ripple20 vulnerabilities is that they are vulnerabilities in a network component used by many organizations in many products. Each software development organisation must understand the third-party components they are using to minimise the risk that they represent. Finally, all software products must be able to update themselves. Using secure development practices and managing third-party components will result in fewer, less frequent updates. Nevertheless, something will always go wrong and updates will always be necessary. Systems and devices must be able to update themselves securely, and the manufacturer must make a commitment to maintaining the software for some clearly stated time period.  Read Less