Building secure systems from day one

Security works best when it is part of the foundation, not an addition after the fact. At the 2025 Bitwarden Open Source Security Summit, Wall Street Journal technology journalist Nicole Nguyen moderated a conversation about what it really means to build secure systems from the ground up. Eddie Clark, CEO of SolveIT, and David Mitrovik, Systems Engineer at Swiss TXT, explored what secure by design looks like in practice — from zero-trust networks built to verify identity at every layer, to broadcast infrastructure where there is no reliability without real security.

Their message was consistent: retrofitting security after deployment is harder, riskier, and more expensive than building it in from the start.

Even the most secure technical infrastructure can be undone by a single phone call. The MGM casino hack served as the panel's cautionary tale: an attacker called the help desk, requested a password reset, and gained access to highly secure systems — no technical exploit required.

Clark stressed the importance of identity verification processes and simple measures like calling users back at their registered number or using authentication apps. 

"Had MGM followed these best practices, it's likely that attack could have been avoided." Eddie Clark, SolveIT

Mitrovik pointed out that deepfake voices and videos make it harder to trust what people see and hear, and that the growing sophistication of these attacks should compel organizations to rethink strategies for combating social engineering. Balancing security with usability remains a genuine challenge. People do need to reset passwords, and verification through a second secure channel is not always possible. Solving this requires thoughtful processes and strong authentication tools, not technology alone.

Many companies claim to prioritize security, but how can consumers and businesses tell the difference? Both panelists offered practical guidance.

• Look for standards and certifications. Clark mentioned OWASP (Open Worldwide Application Security Project), a framework for secure development that builds security into the conceptual phase.

• Evaluate transparency. Mitrovik emphasized that good documentation, clear explanations of cryptographic processes, bug bounty programs, and transparent vulnerability handling are all positive signs. If a company has nothing to show for its security claims, it is probably theater.

The panel also addressed a common misconception: that open source software is less secure. Both panelists pushed back firmly.

Clark explained it through a business lens: proprietary code is limited by budget and the number of reviewers. Open source benefits from unlimited peer review without budgetary constraints, increasing the likelihood of catching security flaws.

Mitrovik added that while the average consumer might not read the code, security researchers are actively examining popular open source projects. The openness itself, and the processes around it, contribute to stronger security outcomes.

"You can't add eggs to a cake after it's baked." — Nicole Nguyen, Wall Street Journal

Beyond technology and transparency, the panelists emphasized culture. For organizations just beginning to prioritize security, Clark's advice was clear: establish a security-first mindset across the entire organization with top-level buy-in. This applies to designers, operations teams, product managers, and sales — not just developers. 

Clark also applies this principle to product selection. Usability is part of what makes secure design stick.

"Can my mother use this? And if she can, then perhaps salespeople can use it." — Eddie Clark, CEO of SolveIT

Mitrovik noted that prioritizing security early actually saves money by catching problems before they become expensive to fix. And contrary to common assumptions, secure by design practices serve as a competitive advantage, not a burden.

The panel closed with quick-hit advice that brought the conversation full circle from organizational strategy down to everyday habits.

Clark and Mitrovik both pointed to password manager adoption as a bright spot. Built-in options from Apple and Google are serving as gateway tools that lead users to more robust, dedicated solutions like Bitwarden Password Manager. Clark highlighted the enterprise value as well: the ability to cut off a departing employee's access and transfer their vault to a replacement creates a critical business continuity component.

When asked which security feature every consumer app should have by default, Clark's answer was immediate: passkeys. They use public and private keys, eliminate password resets, and resist phishing. Mitrovik's pick was end-to-end encryption for everything.

Integrating password managers with biometrics — fingerprint and face recognition — makes security both seamless and strong. Mitrovik added that replacing SMS-based authentication with passkeys or push notifications is another high-impact improvement. 

"I don't like SMS. It doesn't work very well, and it's quite tedious." David Mitrovik, Swiss TXT

When asked why more organizations have not adopted passwordless authentication despite user enthusiasm, Clark's answer was blunt: 

"Cost and fear of change. Almost a hundred percent of the time."

For loved ones not yet using a password manager, passphrases are a strong starting point — "my dog is blue" is infinitely better than "P@ssw0rd." And changing those 1-1-1-1 passcodes to something actually secure is a small step with outsized impact.

Security is not something to address after the fact. Whether organizations are developing software, selecting business applications, or individuals are managing personal digital lives, the principles remain the same: do the research, look for transparency and standards, and turn on phishing-resistant authentication everywhere it is available.

With the threat landscape evolving, doing the same things the same way will not produce different results.

Bitwarden Password Manager is built on open source, zero-knowledge encryption — security built in from day one, not bolted on after the fact. Explore Bitwarden plans for your team or organization, or get started with a free individual account.