When a security researcher finds a vulnerability in a piece of software used by 50,000 businesses, those 50,000 businesses are all at risk at the same moment. Automated tools can scan the internet for systems running the vulnerable version. Attackers do not need to target you specifically — they can target the software you use, and find you as a result. This is the fundamental security trade-off that mass-deployed software creates, and it is one that most businesses using off-the-shelf products have not fully considered.
How Mass Deployment Creates Mass Risk
Popular software — CRM platforms, ERP systems, accounting packages, project management tools — is popular because many businesses use it. That scale is also what makes it a productive target for attackers.
When a vulnerability is discovered in widely-used software, it gets submitted to the CVE database — the Common Vulnerabilities and Exposures system maintained by MITRE and used by security researchers and attackers alike. From that point, the vulnerability is public knowledge. Automated scanning tools can search for businesses running the affected software version. The window between public disclosure and widespread exploitation can be measured in hours.
WannaCry in 2017 is the most visible example at scale — it exploited a known vulnerability in Windows SMB that had a patch available for two months before the attack. Organisations that had not applied the patch were compromised regardless of their size, sector, or intentions. The vulnerability was in software they happened to run. That was sufficient.
The same dynamic applies at smaller scale, constantly. SMEs running unpatched versions of popular accounting software, customer management platforms, or web applications face continuous automated probing. The attackers are not interested in them specifically — they are interested in the vulnerability, and these businesses happen to have it.
The Patch Timing Problem
The obvious response to this is to keep software patched. In practice, this is harder than it sounds.
Patches arrive on the vendor's schedule, not yours. For critical vulnerabilities, major vendors move quickly — but smaller SaaS vendors, legacy software providers, and niche platforms can take weeks or months. For older, no-longer-supported versions, patches may never arrive.
Applying patches also carries its own risk: patches sometimes break integrations, change interfaces, or introduce new problems. Businesses with complex, customised installations of commercial software often defer patches because they cannot easily verify that the update will not break their operational workflows. This is rational from a business continuity perspective and damaging from a security one.
The result is that many businesses are running software with known vulnerabilities, not through negligence, but because the patch cycle is genuinely difficult to manage alongside operational demands.
What Bespoke Software Changes
A bespoke system built for one client does not appear in the CVE database. There is no public record of its existence, its architecture, or its components. Automated scanners looking for vulnerable versions of known software will not find it, because it is not known software.
This is not security through obscurity as a primary strategy. The systems I build use Managed Identity for authentication, Azure Key Vault for secrets, and encrypted connections throughout — that is the actual security layer. Obscurity is an additional factor, not a substitute.
But it is a real factor. NTLabsManager, BuxtedManager, and DugardManager are not listed in any vulnerability database. An attacker scanning for weaknesses in those specific systems would need to discover them, understand their architecture, and find a specific flaw — not simply search a database for a known CVE and scan for exposed endpoints.
The attack surface is also smaller by design. A bespoke system does the specific things it needs to do. It does not include the fifty features that a generic platform provides but a particular business never uses. Each unused feature in off-the-shelf software is a potential attack surface. Bespoke software with a focused scope has a correspondingly smaller one.
Third-Party Components and the Supply Chain
Bespoke software still relies on third-party components — frameworks, libraries, NuGet packages in the .NET ecosystem. These carry their own vulnerability profiles, and keeping them updated is part of responsible software maintenance.
The difference is control. When a vulnerability is found in a library a bespoke system uses, the decision about when and how to update it belongs to the developer working with that specific client. There is no dependency on a vendor's release cycle, no forced update that might break other functionality, and no delay while the platform vendor assesses impact across their entire customer base.
This is part of the broader argument for owning your software rather than licensing it — control over the security posture of your own systems is only possible when you control the software itself.
The Honest Assessment
Off-the-shelf software is not inherently insecure. Many large vendors have excellent security practices, fast patch cycles, and dedicated security teams. For general business tools — email, productivity, communication — the security trade-offs of popular platforms are well understood and broadly acceptable.
The question is whether your core operational software — the system that holds your client data, your financial records, your operational processes — carries the specific risk profile of mass-deployed software. For businesses in regulated sectors, businesses handling sensitive personal data, or businesses where a breach would have serious operational or reputational consequences, the answer to that question should inform the software decisions they make.
Bespoke software is not the right answer for every business tool. But for the systems that sit at the centre of your operations, understanding the security trade-offs of your current approach is worth the conversation. If you want to assess what a bespoke approach would mean for your specific situation, get in touch.
Frequently Asked Questions
Does bespoke software have security vulnerabilities too?
Yes — no software is inherently free of vulnerabilities. The difference is in the attack surface and the disclosure model. A vulnerability in bespoke software is not published in a public database, is not known to attackers scanning for that specific weakness, and is fixed on your timeline rather than the vendor's. The risk profile is fundamentally different, not zero.
What is a CVE and why does it matter to my business?
CVE stands for Common Vulnerabilities and Exposures — a public database of known security flaws in widely-used software. When a vulnerability is added to the CVE database, it is available to everyone, including attackers. Automated scanning tools search for systems running vulnerable software versions. If your business runs software with a known CVE and has not patched it, you are a known, findable target.
How quickly do software vendors patch security vulnerabilities?
It varies significantly. Major vendors like Microsoft patch critical vulnerabilities within days to weeks. Smaller SaaS vendors and legacy software providers can take months — or never patch older versions at all. The gap between a vulnerability being discovered and a patch being deployed is called the 'window of exposure'. During that window, businesses running the affected software are at risk whether or not they know about it.
Is security through obscurity a real defence?
Not as a sole defence, but it is a real factor in risk reduction. Security through obscurity alone — relying on attackers not knowing what software you run — is not a sound strategy. But obscurity combined with proper security practices (Managed Identity, encrypted connections, access controls) meaningfully reduces the attack surface. A bespoke system is not listed in vulnerability databases; a mass-deployed product is. That difference is genuine.
What should I ask my current software vendor about security patches?
Ask: How quickly are critical security patches released? Do I receive notification when patches are available? Are older versions still supported with security updates? What is the process if a vulnerability is found in the software I use? The answers reveal both the vendor's security posture and how much control you have over your own exposure.
How does bespoke software reduce the attack surface compared to off-the-shelf products?
A bespoke system does only what your business needs. Off-the-shelf software ships with dozens of features most businesses never use — each one a potential attack surface. Bespoke software with a focused scope has a correspondingly smaller surface. It is not listed in vulnerability databases. It does not share its architecture with tens of thousands of other installations. The combination of proper security practices and reduced exposure is meaningfully more secure than a mass-deployed product even with regular patching.
What is the window of exposure after a software vulnerability is disclosed?
The window of exposure is the period between a vulnerability being publicly disclosed and a patch being applied to your installation. For mass-deployed software, automated scanning tools begin probing for the vulnerability within hours of public disclosure. The window depends on how quickly the vendor releases a patch, how quickly you receive notification, and how quickly you can apply the patch without breaking your operational workflows. Businesses running complex or customised installations often defer patches for days or weeks.
Is bespoke software worth considering for security reasons alone?
Security alone rarely justifies the investment in bespoke software — the decision should rest primarily on whether it solves a genuine operational problem. But security is a meaningful secondary factor, particularly for businesses in regulated industries, businesses handling sensitive personal data, or businesses where a breach would have serious operational or reputational consequences. If the operational case for bespoke software exists, the security advantages strengthen it.
What are the supply chain risks with bespoke software components?
Bespoke software still relies on third-party components — frameworks, libraries, NuGet packages in the .NET ecosystem. These carry their own vulnerability profiles and need to be kept updated. The difference from off-the-shelf software is control: when a vulnerability is found in a library a bespoke system uses, the decision about when and how to update it belongs to the developer and client, not a vendor's release cycle. There is no dependency on a platform vendor assessing impact across their entire customer base before issuing a patch.
How do I find out if my current software has known security vulnerabilities?
The CVE database at cve.mitre.org is publicly searchable — you can look up any product by name and see its disclosed vulnerabilities. Your IT provider or software vendor should also be sending security notifications when patches are available. If you are not receiving these or your software is no longer receiving security updates, that is a risk worth assessing. Get in touch to start the conversation.
Want to talk through your situation?
No pressure, no jargon. Just a practical conversation about what's possible.
Get in Touch