Decoding Security Debt: Differentiating It from Tech Debt and Ways to Tackle It

Decoding Security Debt: Differentiating It from Tech Debt and Ways to Tackle It

Learn about Security Debt, Technical Debt, how they are different, what are the implications of both and how to reduce your Security Debt

In the fast-paced world of technological advancements, organizations often face the dilemma of balancing innovation with security. Tech debt and security debt are two terms commonly used in the realm of software development and cybersecurity. Understanding the differences between these concepts is crucial for mitigating risks and safeguarding business operations.

What is Tech/Technical Debt?

Technical debt refers to the long-term burden software development organizations create when they take shortcuts. Technical debt includes the buildup of “cruft,” which are deficiencies in internal quality that make it harder to modify and extend a system further.

Dave Smith, an agile software development coach, describes technical debt as “those internal things (in the planning or execution of a software project) that you choose not to do now, but which will impede future development if left undone.”

He offers a few examples of the thinking behind technical debt:

  • “It’s too late in the life cycle to upgrade to the new release of the compiler. We’ll do it next time.”
  • “We’re not completely conforming to the user interface guidelines. We’ll get to it next time.”

Martin Fowler, chief scientist at ThoughtWorks, describes it, “Doing things the quick and dirty way sets us up with a technical debt, which is similar to a financial debt. The technical debt incurs interest payments, which come in the form of the extra effort that we have to do in future development because of the quick and dirty design choice.”

Technical debt might look like any of these:

  • Poorly written code

  • Lack of documentation

  • Outdated libraries

  • Lack of test coverage

Types of Technical Debt.

Martin Fowler classifies technical debt into four categories:

  • Reckless and deliberate

  • Reckless and inadvertent

  • Prudent and deliberate

  • Prudent and inadvertent

Prudent

This form of technical debt is deliberate and is used to gain speed and market advantage. Companies may release an MVP, prioritizing speed over perfection, but then release frequent updates to manage the debt. Being the first to go to market gives them the competitive edge, but this requires good and experienced management, as it can easily cause technical debt to accrue.

Inadvertent

Software architectures should be adaptable to future industry standards—since no design is perfect. But when developers build applications that are not modular and adaptable due to lack of knowledge or experience, the company can inadvertently incur major technical debt.

Reckless

This type of tech debt can happen due to consistent incremental changes and customizations to a legacy system while deliberately ignoring the need to upgrade such systems to modern standards.

Causes of Technical Debt.

Here are some ways technical debt can pile up:

  • Ignorance: When company leaders or software developers are oblivious to the concept of technical debt, they can make decisions that cause technical debt to accrue without even realizing it.

  • Tightly coupled components: When the software architecture is not modular, the software cannot be adapted to future business needs.

  • Failure to align with industry standards: When features, frameworks, or technologies are not upgraded on time, upgrades can become expensive. When legacy applications are being maintained and customized, while refactors are delayed and upgrades deferred, technical debt grows over time and may eventually require a complete overhaul.

  • Lack of collaboration & poor leadership: How your team leaders set up your engineering teams and the software development cycle (SDLC) is a key factor in whether technical debt will be accrued. When junior developers are not properly mentored or software development is done in isolation across multiple branches, this creates silos. Team leaders must also know how to balance speed, scalability, and quality; and prioritize which features to release at a given time.

  • Time pressure & constant change: Changes or project requirements that come late in the SDLC, without the time or budget to properly implement and document them can lead to technical debt.

Problems due to Tech Debt.

  • In today's competitive market, companies need to adapt quickly and provide excellent user experiences or become obsolete. Tech debt leads to poor code quality, and if you cannot evolve rapidly due to poor-quality code and IT infrastructure, this can be detrimental.

  • Low product release cycle frequency: due to poor code quality and architecture it becomes harder & harder to release frequent updates.

  • System uptime issues: tech debt can cause frequent system crashes which reduce the system uptime

  • Engineer turnover: Paying tech debt can burn out developers, causing many to seek out greener pastures, where they can innovate.

What is Security Debt?

Security debt is a focused type of technical debt that reflects the number of vulnerabilities embedded in an application or system. When an organization values speed over security, it may spend less time looking for vulnerabilities and remediating the ones it does find.

Causes of Security Debt.

  • Security debt occurs when security measures are not incorporated throughout the entire software development life cycle (SDLC, from start to finish.

  • Organizations release software without addressing its weaknesses and vulnerabilities. Sometimes the organization fails to test software thoroughly throughout the SDLC. Sometimes it decides that the pressure to finish a project is so great that it makes more sense to release now and fix vulnerabilities later

  • delayed modernization or refactoring of legacy applications can lead to security tech debt.

  • Failure to address known vulnerabilities can also lead companies to accrue security debt, which may have severe financial consequences.

  • Delayed testing or failure to integrate testing into your SDLC is another cause of security debt. When applications are built by inexperienced developers who prioritize speed over security, the entire development life cycle may be completed without any testing at all; or testing may only be carried out at the end of the SDLC.

Problems due to Security Debt.

security debt doesn’t just “impede future development” of a project. Instead, an accumulating pile of vulnerabilities puts your organization at a much greater risk of malicious cyber exploits and other problems.

some major problems are:

Data breaches: Threat actors often use vulnerabilities as part of their attacks.

Fines and penalties: If threat actors gain unauthorized access to protected data, companies may have to pay fines or penalties arising from data protection laws.

Business interruption: Service outages mean people can’t access the applications, reducing revenue and productivity.

Loss of organization's reputation: cyber attacks and data breaches will massively tarnish your organization's reputation

Increased development costs: Delaying vulnerability remediation creates a backlog of vulnerabilities that increases overall development costs

Some examples of cyber exploits due to security debt:

  1. One of the most notorious examples is Equifax, the credit reporting giant breached in 2017 because it had failed to patch a known vulnerability in Apache Struts, a popular open-source web application framework. The patch had been available for months. The breach compromised the crucial personal data of more than 147 million people.

    Yet, more than a year later, Open Source Security and Risk Analysis (OSSRA) report showed that of analyzed codebases containing Apache Struts, a third still had the same vulnerability that impacted Equifax.

  2. Snapchat, the popular photo messaging service with over 100 million users, was compromised by hackers in 2014. As a result, over 4.6 million usernames were leaked after the company ignored warnings for months. The disclosure put users at risk once their data was leaked in the wild.

  3. Paypal: A security firm exposed a vulnerability bypassing Paypal’s two-factor authentication

  4. Samsung: NowSecure disclosed a keyboard flaw that impacted 600M Samsung mobile phones

  5. Starbucks: Hackers exploited customers’ accounts via the Starbucks mobile app

How do I get rid of security debt?

The best way to start addressing security debt is to create a thorough inventory of all your software assets—proprietary, commercial, and open source. You also need a software bill of materials, or a list of software components, for each asset you maintain. In short, you can’t protect what you don’t know you have.

Common Vulnerabilities and Exposures (CVE) list maintained by MITRE contains descriptions of publicly known vulnerabilities. It feeds the National Vulnerability Database (NVD), a U.S. government repository of standards-based vulnerability management data that provides additional data about CVEs, including their severity and risk.

While the NVD and CVE don’t cover every vulnerability out there, they can help you practice risk management. Eliminate the biggest risks first and then work your way down to those that still matter but aren’t as dangerous.

The same is true for the OWASP Top 10. While it doesn’t list specific vulnerabilities, it tells you which software weaknesses are most likely to lead to vulnerabilities. This list is particularly useful while a project is still in development. If you can keep weaknesses out of your codebase, you can prevent them from becoming vulnerabilities after release

Adopt DevSecOps approach: Companies are now shifting their development process from DevOps to DevSecOps. This means taking steps to optimize security at every step of the SDLC. Adopting the DevSecOps approach can help enterprises minimize the chances of security debt

What tools and services can I use?

  • A software composition analysis (SCA) tool will help you discover the open source components you’re using so you can mitigate any vulnerabilities they contain and address potential licensing problems.
  • ARA (architecture risk analysis) flags possible structural flaws in a program during the design stage.

  • SAST (static application security testing) uncovers security and quality defects in code during development and build stages.

  • IAST (interactive application security testing) detects vulnerabilities as a program is interacting with external input during testing and QA stages.

  • DAST (dynamic application security testing) continuous web application security testing in production.

  • Fuzz testing “attacks” systems, apps, and services with random, malformed inputs to test their robustness, safety, and security.

  • Penetration testing generally occurs at the end of the SDLC, where white hat hackers see if they can exploit any remaining weaknesses in a program.

That's it.

with this comprehensive article, now you are armed with all the insights that you can use to reduce and eliminate your tech and security debts and live with a peace of mind.

Thanks for Reading.