Vulnerability management is the fourth domain where the same structural gap produces the same structural failure.
The principle says: don't ship vulnerable code. The implementation: scan every container image, every dependency tree, every base layer for known CVEs. Report everything. Demand developers patch everything. Treat every "Critical" finding as an emergency. The scanner found a vulnerability in libxml2. Is the application actually calling libxml2? Nobody knows. Patch it anyway. The scanner found a vulnerability in grep. Is grep even invoked at runtime? Nobody knows. Patch it anyway. The scanner found 247 CVEs in the base image. How many are reachable from the application's code paths? Nobody knows. Patch all 247.
If you've read the previous articles in this series — Least Privilege, Microsegmentation, DLP — the pattern is familiar. The missing artifact is different. The structural failure is identical.
The Principle and Its Hidden Assumption
"Don't ship vulnerable code" assumes you know which code is vulnerable and which vulnerable code matters. Scanners answer the first question well. Nobody answers the second.







