How do we build secure software? What does "secure" even mean? How much is enough? How can security keep pace with agile development models and ever-changing requirements? How do we deal with specialized staff shortage? Does every developer need security skills? Shall we trade initial velocity in software engineering for sustained velocity? When should we throw software away? There are way more questions than answers on how to ensure a solid and sustainable security level in software nowadays. In this panel discussion, we try to shine some light on what we can do apart from coding in order to justify trust in the security of the software we're building.