What’s more likely to get hacked: code that’s 10 years old or 1 year old? What code gets more attention in appsec: code that's 10 years old or 1 year old? See the problem?

If 10-year-old code is still in production, it’s often orphaned with no one who owns it. I’ve had to beg devs to fix it with the caveat that if they break something, it’s my fault. (** not at my current employer **)

Yes indeed, and this is a good example of why this is area that contains the vast majority of the risk.

One of the least talked about steps in the SDL is the sunsetting and eventual decommissioning of the product. No one gets in trouble for kicking this can down the road, largely because they’re no longer with the company. That’s why having product owners is so important.

Yeah, for some reason very few of the SDL diagrams include EOL.