7 ways technical debt increases security risk

Two in three CISOs believe that technical debt, the difference between what’s needed in a project and what’s finally deployed, to be a significant cause of security vulnerability, according to the 2021 Voice of the CISO report, sponsored by Proofpoint.

Most technical debt is created by taking shortcuts while placing crucial aspects such as architecture, code quality, performance, usability, and, ultimately, security on hold, says Jeff Williams, CTO of application security platform provider Contrast Security. “Many large organizations are carrying tens or hundreds of thousands of discovered but unremediated risks in their vulnerability management systems,” he explains. “In many sectors there’s this insidious idea that underfunded security efforts, plus risk management, are almost as good as actually doing the security work required, which is dangerously wrong.” It’s an approach that exposes enterprises and their partners to significant harm, Williams says.

Minimizing technical debt’s security impact begins by understanding the various ways poorly executed projects can open the door to intruders and attackers, and how discovered vulnerabilities can be quickly and safely sealed. Here are seven ways technical debt can become a problem for a CISO.

1. Dodgy software

Technical debt is an overused term, says Rahul Telang, a professor of information systems at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy. “Basically, it means that you’ve borrowed something to get the product out, and now you have to pay the debt,” he explains. “It’s not hard to imagine that unless you pay your debt quickly, you’re increasing the security risk.”

Telang notes that CISOs should realize that every software development project will go through stages where the code has to be refactored over time to address potential security gaps. The CISO must have a structure in place to detect possible issues prior to deployment, he says, because it’s easy to miss when the product is already being used.

Ryan Davis, CISO of NS1, a DNS and traffic management technologies developer, believes that software-created technical debt carries the greatest business security risk. “This includes items that are derived from outside the organization, such as languages, third-party libraries, and other components built into software, as well as first-party code written by in-house developers,” he says.

Software ages over time, and patches are periodically issued to address bugs and security issues. Eventually, though, all software reaches an end-of-life stage when it’s no longer supported by the originator. Unfortunately, in some instances, it may be difficult to sunset a current software product because its developer has either abandoned the offering or gone out of business. When this happens, continuing to operate the legacy software risks creating a dangerous technical debt, since invaders and attackers may have discovered new ways to exploit the software. The result can be devastating. “We have seen many real-world examples of how the security posture of a single company’s software can impact thousands of organizations worldwide,” Davis says.

2. Weak governance

Strong governance is essential to prevent technical debt from becoming a security problem. David Chaddock, a director in business and IT consulting firm West Monroe’s cybersecurity practice, believes it’s important to ensure that an asset’s full lifecycle is addressed during its initial design and implementation, including the long-term operational costs and support resources needed to reduce the possibility that a system suddenly or gradually becomes a security concern. “This requires that security teams be engaged early and included in the design process,” he says.

3. Poor strategic alignment

A CISO should work within the enterprise to create an understanding of technical debt and develop the right metrics to manage it, suggests Eugene Okwodu, director of cybersecurity solutions at Guidehouse, a global business and IT outsourcing firm. “The CISO should also build-in needed tech refresh costs into their budget,” he adds.

A technical debt frequently emerges when IT and cybersecurity strategies clash. To ensure adequate alignment and resolve the conflict, it may be a necessary to work with an internal project management office (PMO) or engage outside help, Okwodu observes.

4. Neglecting or delaying modernization

In some cases, it may take years before a technical debt becomes apparent. Aging technology, both hardware and software, poses a great security risk, Okwodu says. “Not only is the tech in some instances impossible to replace and repair, it’s usually more interconnected and less understood by current staff,” opening the way to potential security breaches, he explains.

Years, and sometimes decades, of workarounds, updates, upgrades, and merger and acquisition activity can make technical debt especially problematic. “Technical debt that requires expensive system modernization, especially in software systems, coupled with the specialized knowledge less common in today’s workforce, poses a significant security risk to businesses in every industry,” Okwodu says.

5. Failing to adopt sound development practices

DevSecOps is more than just a buzzword. Many security issues can be addressed and controlled when sound development practices are applied. “Insist on proper DevSecOps principles from the onset of development projects and insist on controls that can help visualize metrics in regard to security gaps,” recommends Keatron Evans, principal security researcher at the Infosec Institute, a technology training company.

As programs grow, they typically become more useful and widely used. Yet these attributes can also make security weaknesses harder to fix or mitigate. “The very energy that causes a piece of code to grow and become productive, useful, and valuable also causes overlooked security issues to become more devastating in the long run,” Evans says. DevSecOps automates the integration of security at every phase of the software development lifecycle, effectively preventing an open door from suddenly appearing.

6. Delayed testing

Holding back software security testing until the later stages of development can lead to vulnerabilities that may be difficult, time consuming, and costly to correct. “Delaying testing to the end of the process can lead to massive redevelopment efforts to address security concerns, which can mean loss of profits and a significant increase in development time,” warns Jeremy Dodson, CISO of DevOps consulting service provider NextLink Labs.

Security should be a collaborative effort, Dodson says. “A CISO can be crucial in creating a culture of security within their organization, particularly with the development team,” he says. “A shift in attitude can go a long way toward integrating security measures throughout the design and development process.”

7. Runaway complexity

A leading cause of technical debt is relying on too many development languages, tools, platforms, and frameworks, says Barry Goffe, senior director of platform strategy at low-code app development platform provider OutSystems. “With complexity comes the opportunity for mistakes, and compounding that risk makes it more difficult to identify when those mistakes have occurred,” he says. “Even if issues are identified, complexity makes it harder to fix those vulnerabilities.”

Complexity alone doesn’t guarantee security vulnerabilities, yet it certainly raises the likelihood that they will happen and increases the cost associated with keeping them at bay, Goffe says. “Given that complexity is a leading cause of technical debt, efforts to standardize and simplify application development tools and infrastructure can pay huge dividends toward minimizing the creation of new technical debt,” he adds.

Goffe views technical debt as a risk driver, as well as an anchor holding back both innovation and security. With enterprises scrambling to get back to normal following the pandemic, it’s now time to address the roadblocks and security risks created by years of building fast instead of right or not building for the future. “The more companies tackle technical debt, the less they expose themselves to security risks and the more they maximize their ability to innovate,” Goffe concludes.