CVE As PR or STFU
Many security professionals have spent an entire career being purely prescriptive. They have provided checklists and references to NIST webpages and documents without being involved in the development cycle. While that has some value, it’s far less useful that being directly involved. It is time for security professionals to become embedded in the delivery process, not just gatekeepers.
As we grow in our ability to provide infrastructure as code, it becomes more important to include security evaluation results as a testable element of the continuum of delivery. A maturing IaC system should treat vulnerabilities as bugs, with all the attendant software practices that a bug entails: specifically, a [currently-failing] test and a means to remediate. This allows automation to test results and provide faster response cycles, a well-documented performance metric for highly productive teams.