Why 'security as by-product’ can't replace controls

Built-in security can play a role — and fits with the Secure by Design concept — but robust security controls remain essential.

Todd R. Weiss, Freelance writer.

Traditionally, cybersecurity has relied on building strong defenses using powerful security controls and best practices, following security-first internal development workflows, and constantly monitoring for every kind of attack that could disrupt the business.

But there is another approach, one that its advocates call ”security as by-product.” It focuses on seeking out and buying products and services that include their own strong, built-in security features and protocols.

With new threats emerging from practices such as AI coding, the security as by-product approach is gaining new adherents and spawning a variety of free and open-source tools with built-in security, along with guidance on how to leverage the practice.

Also contributing to the upsurge in interest is that security as by-product fits snugly into the Secure by Design initiative being pushed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). However, while these baseline tools can help, cybersecurity leaders say advanced security practices and controls are more essential than ever to managing risk.

Download Today: The 2025 Software Supply Chain Security Report

What you need to understand about security as by-product

In a recent column in his Venture in Security newsletter, cybersecurity writer and luminary Ross Haleliuk said that chief information security officers (CISOs) and other executives naturally remain focused on using powerful security controls to fight attackers today, but they should not ignore buying technologies that have built-in security, but not by design; their security features are a by-product.

If you were to ask security founders what they think are the best ways to make companies more secure, they would probably tell you different ideas about getting CISOs to buy new security tools. That’s not wrong per se — CISOs control security budgets, set strategy, and are responsible for the organization’s security posture.
Ross Haleliuk

But this approach, he wrote, does not consider that some of the biggest improvements in security have come from products that were never sold as “security.” Case in point: Google Chromebooks. Companies bought them for attributes such as increased productivity, improved user experience, cost savings, and speed.Having built-in security was simply a side benefit.

The buyer probably doesn’t even think of the product as a ‘security tool,’ but the security benefit is real, measurable, and in some cases far greater than what a traditional security product could deliver. In fact, some of the biggest security improvements came from companies that don’t even market themselves as security players.
Ross Haleliuk

“The core pitch of Chromebooks was never ‘buy this because it’s resistant to ransomware,’” Haleliuk wrote. “It was ‘buy this cheap, easy, low-maintenance laptop that has everything you need and that you can access with your Gmail account.’”

By stripping away local storage, restricting software installation, and isolating everything in the browser, Google removed a huge attack surface common in traditional PCs, he wrote. “With Chromebooks, malware protection isn’t the product, it is the inevitable outcome of the design.”

Other examples of security as by-product

Slack, Haleliuk wrote, “has done more to stop phishing than all the dedicated email security vendors combined.” Sales-enablement applications such as Vanta, Drata, Secureframe, and Scrut focus on compliance to bring in real security controls for startups. The secure identity management vendor Okta originally set out to help people save and protect their passwords more easily. Chainguard patches, rebuilds, verifies, and sells secure container images so that developers can save time.

Needless to say, this list of examples is not exhaustive, and all of them illustrate the same point: that to achieve a security outcome, founders don’t necessarily have to build a security company.
Ross Haleliuk

Haleliuk argues that the security as by-product concept can help IT leaders deal with concerns about the use of AI coding and the rise of deepfakes, which harm online trust.

There is a lot of discussion about the fact that AI-generated code is not inherently secure. One way to solve this is to do what was done before: build a ‘next-gen’ code-scanning tool and sell it to security teams. Another way to do it is for developer platforms to embed AI-assisted vulnerability detection directly into the coding process. This way, developers would adopt it for productivity, and security would come along ‘for free.’
Ross Haleliuk

Why advanced security tooling is more essential than ever

Several security analysts said the security as by-product idea is intriguing and has a place in cybersecurity practices. But given the evolving threat landscape, modernizing your enterprise security practices and tooling is far more essential to managing risk.

Paul Nashawaty, principal analyst for application development and modernization for theCUBE Research, said it’s true that some of the most significant leaps forward in security haven’t come from security products at all. But, he added, that does not diminish the need for purpose-built security platforms.

CISOs still have to manage compliance, risk, and specialized threats, which means there’s always going to be a place for dedicated tools. What feels most powerful is the combination: security platforms where you need them, and business tools with embedded security ‘for free’ where you can get them.
Paul Nashawaty

On the other hand, he said, AI coding assistants that naturally generate more secure code as a by-product, could have more impact downstream than traditional point solutions. “It really comes down to rethinking how we measure impact, not just by security budgets and controls, but by the security outcomes that come from products people already want to use,” Nashawaty said.

“If companies choose gear that’s secure by default, they’re lowering risk from the ground up,” he said. “In a way, that makes the security team’s job easier because protection isn’t only bolted on later, it’s already built into how employees work every day.”

Nonetheless, for Nashawaty, no amount of built-in security can eliminate the need to think comprehensively about risk. “CISOs can’t manage risk and compliance without them,” he said.

Chirag Mehta, a principal analyst with Constellation Research, said advanced security tooling and practices are essential to managing risk.

By-products raise the baseline, but specialized tools are still required to monitor, detect, and respond to threats that slip through. Without dedicated platforms, enterprises risk blind spots. By-products reduce risk, but products are what catch the breach. Ultimately, the strongest posture comes from combining the two.
Chirag Mehta

How security as by-product maps to Secure by Design

Katie Norton, a DevSecOps and software supply chain security analyst with IDC, is on the same page as Nashawaty and Mehta. She said baking security into products is a good idea that is reflected in CISA’s Secure by Design initiative, but those benefits do not mean that companies can stop investing in security tools.

In fact, assuming a product is safe because it has security baked in and will be able to secure itself against threats “is a huge red flag,” Norton said.

That kind of complacency can be just as risky as ignoring security altogether. Security is adversarial by nature, and attackers are constantly looking for creative ways around even the most carefully designed controls. So, while I’m enthusiastic about products that bake in security, I’m skeptical we’ll ever reach a point where we trust the thing to secure itself without external checks.
Katie Norton

Derek Fisher, founder of cybersecurity consulting, training, and advisory firm Securely Built, sees limits to security as by-product.

Complexity is the enemy of security, and psychological acceptability is still a valuable design pattern. When we make systems complex or inject processes that slow down production, we open ourselves up to circumvention and an expansion of the threat surface. So it goes without saying that any opportunity we have to integrate security into the tools already being used for productivity, we get better adoption while lowering risk.
Derek Fisher

Enterprise security leaders who are looking to lower their risks must review and understand their company’s workflows and processes and the ways that their employees work before determining which best-of-breed security platforms can deliver the best results, Fisher said.

Due diligence is still required to understand how security is being implemented by your productivity tools and whether it is sufficient compared to your risk profile.
Derek Fisher

And there is much more to due diligence than just using products that include built-in security features, Fisher said.

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our webinar for discussion about the findings.
Get up to speed on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see the related webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security