Security by design

Embedding security into every stage of development

If you were building your business from scratch today, you wouldn’t bolt security onto the end. You’d bake it in from the beginning. The challenge is that most organizations aren’t starting from scratch.

They’re already in motion: they are shipping more code to production at an accelerating pace driven by AI-powered development; expanding into new regions; integrating AI services; and operating across a patchwork of teams, tools, and priorities. Security teams simply can’t scale at the same rate. As a result, security too often becomes reactive — trying to keep up with change instead of enabling it.

The good news? That’s changing.

As the VP of product, extensibility, and partnerships at Wiz, I’ve talked with a growing number of leaders who now see security as an enabler of innovation, not a blocker. They’re embedding it into development pipelines, aligning cross-functional teams around shared risk, and adopting architectures that support autonomy without sacrificing control.

And they’re doing it not because it’s trendy, but because the business demands it. In fact, 85% of organizations that have aligned security and application efforts have already built new applications designed to use AI, according to the 2026 Cloudflare App Innovation Report. It’s a clear signal that security alignment isn’t just about risk reduction, it’s a catalyst for modern application development.

Design decisions are now security decisions

“Security by design” is more than a technical principle — it’s a strategic one. Done right, it allows organizations to move faster without compromising safety. It frees up security teams to focus on high-impact work instead of endless remediation. Developers can take ownership with the right context and controls built into their workflows. And the organization as a whole becomes more resilient, with smaller blast radii when something inevitably goes wrong.

The reality is that modern architectures — whether built on ephemeral infrastructure, serverless functions, or AI pipelines — have fundamentally changed the shape of risk. Security can no longer be a gate at the end. Teams that integrate security early, and reinforce it throughout the lifecycle, are seeing fewer surprises and better outcomes.

But this shift takes more than tooling. It takes intent and leadership.

Redefining ownership across teams

One of the most meaningful shifts we’re seeing is a redefinition of security ownership. In forward-looking organizations, developers and cloud engineers are no longer just “security adjacent.” They’re on the front lines. They’re accountable for what they build and empowered to make smart, secure choices. As I like to say, security is a team sport.

This kind of model doesn’t emerge organically. It requires leaders to remove friction between teams, provide clear expectations, and ensure risk context is accessible when and where it’s needed. That might mean rethinking visibility across environments, adapting policies to match how teams actually work, or aligning incentives around secure innovation rather than velocity alone.

These are more than just technical improvements. They’re cultural changes, and they don’t happen overnight.

What happens when security is an afterthought

When security is layered on after the fact, the cost isn’t limited to technical debt. It also comes at the expense of speed, alignment, and trust.

Teams lose time triaging misaligned alerts. Incident response slows down due to siloed information. High-severity risks slip through the cracks. And perhaps most damaging of all, the relationship between security and engineering breaks down, making future collaboration even harder.

Findings from Wiz’s threat research team, which analyzes hundreds of thousands of cloud environments, show just how common design gaps really are. Our researchers found that over half (54%) of cloud environments had exposed virtual machines or serverless instances containing sensitive data, like personally identifiable information (PII) or payment information. And 35% of those environments had both exposed data and high- or critical-severity vulnerabilities, making them exploitable. Security by design helps prevent these vulnerabilities by making visibility and risk context foundational to how systems are built.

Misconfigurations, exposure, and over-permissioned accounts can still happen. But we’ve worked with dozens of global enterprises that faced these and other challenges head-on. And more than half of our Wiz customers sit outside the security team. It’s a sign that shared ownership is not only possible, but effective. When teams adopt a security-by-design model, they reduce time to remediation, improve prioritization, and align more tightly around what matters most.

Is your current model holding you back?

There’s no one-size-fits-all blueprint. But there are signals that can help leaders evaluate whether their current model truly supports secure design.

Can developers identify and remediate risks without waiting on security reviews? Do security teams have the visibility and context to focus on what matters most? Are remediation workflows fast, automated, and grounded in shared data? And can the organization innovate without slowing down or introducing more risk?

If the answer to any of these is “no” (or even “sometimes”), it may be time to revisit how security is embedded into both your architecture and your culture.

Security by design extends beyond your walls

Designing secure systems isn’t just an internal effort. It’s a contribution to the broader cloud ecosystem. Threats rarely stay isolated. A misconfiguration discovered in one environment today may be exploited in another tomorrow. That’s why the most resilient organizations don’t just secure their own infrastructure — they share what they learn.

Whether that means publishing research, contributing to open vulnerability databases like cloudvulndb.org, or partnering with industry peers to improve shared defenses, these efforts help raise the baseline for everyone.

It’s also efficient. Security teams across industries often spend time independently triaging the same misconfigurations or exposure patterns. By surfacing risks early and openly, we reduce duplicated work and improve response time across the board. Security by design means designing with others in mind too.

Built-in security is no longer optional

We’re entering a new era of application innovation, driven by AI dramatically accelerating the development lifecycle. Cloud-native architectures, AI-powered pipelines, and globally distributed teams require a security approach that’s just as dynamic. One where protection isn’t a final checkpoint, but a default state — embedded into every stage of development.

This isn’t just possible. It’s already happening.

Wiz and Cloudflare’s commitment to security by design helps your organization spend less time fighting fires and more time building what’s next. Together, Cloudflare and Wiz will present edge and cloud risks in one view: By bringing Cloudflare DNS and web application firewall (WAF) logs into the Wiz platform, teams can soon spot misconfigurations, reduce blind spots, and focus on fixing issues before they become bigger problems.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Author

Oron Noah
VP of Product, Extensibility and Partnerships, Wiz

Key takeaways

After reading this article, you will be able to understand:

• Why “security by design” is critical to application development

• How collaboration accelerates development and improves security

• What happens when security is afterthought

Related resources

• 2026 Cloudflare App Innovation Report

• Addressing technical debt

• State of application security