A new phenomenon stands out in recent years: security must pervade the entire software development lifecycle. Except it isn’t. The current generation of processes and tools is lacking crucial features to properly manage modern security risks. Think of the Log4J event. Were you able to identify all affected components? Were they internally developed, or did you need vendor support? How fast you were able to deliver a fix? In this talk, we’ll explore the challenges, what you can do with current tools, and which gaps should be addressed by communities through better practices and new tools.