How AppSec debt hurts your company – and how to make it stop
For all the renewed focus and effort around cybersecurity, it is still the first thing that gets sidelined whenever companies are forced to reevaluate their priorities. Do this often enough, and you will find yourself building up a security debt that will present its bill sooner or later. This post examines the concept of AppSec debt in web application security: how it creeps in, why it’s harmful, and how to deal with it.
Your Information will be kept private.
Stay up to date on web security trends
Your Information will be kept private.
What is technical debt in application development?The concept of technical debt is as old as engineering itself. Whenever you put off making necessary technical improvements in favor of ongoing work, whether in an industrial plant or software development organization, you are accumulating technical debt that you will eventually have to deal with. For example, a software company might have a flagship application based on an aging core framework that creates more and more problems with each release. A modern framework is planned, but the company is committed to putting out a new release every six months and cannot spare the resources to develop and deploy the framework and then migrate the application to it. The legacy framework is the company’s technical debt. Unless replaced in a controlled way, that rusty old framework will eventually fail in one way or another and cause serious problems, maybe even delaying the next release until a new framework is finally deployed. Now imagine the problem is not performance or functionality but security – and you have AppSec debt.
5 sources of AppSec debtApplication security debt can come in many shapes and sizes, sometimes creeping in on multiple levels at once. While this is definitely not an exhaustive list, here are (in no particular order) five causes of security backlog bloat.
#1: Outdated componentsWith the manic pace of web application development, some security-related tradeoffs are often unavoidable in the short term. For instance, you might not have the time or resources to upgrade and reintegrate a crucial external library that is known to have a vulnerability in a function that you’re not currently using. In the short term, that’s not a security risk – but if you leave it for too long, someone might eventually use that vulnerable function, or attackers may find other vulnerabilities. That deferred upgrade is one form of web AppSec debt.
#2: Vulnerabilities coming in too fastEndless vulnerability backlogs are another form of AppSec debt, with many organizations being forced to choose which security defects they need to fix now and which they must risk leaving for later. This is usually caused by working with test results that need time-consuming manual verification or having inefficient remediation workflows, with developers and security engineers forced to spend more time on investigating what to do than actually doing it. Combined with the fact that vulnerabilities are often introduced faster than they can be addressed due to insufficient education about secure development practices, this leaves companies resigned to always having a backlog.
#3: Insufficient visibilityA similar dilemma applies to entire application environments – if you don’t have a way of testing and securing every single web asset, you are also building up security debt. Most organizations don’t test all their public web assets simply because they don’t know about some of them, but even for known sites, they often need to choose where to assign their limited resources. That way, critical assets are kept secure while many (if not most) websites and applications are left untested or unfixed, again contributing to the security debt.
#4: Inadequate or ineffective toolingAdding insult to injury, security tools themselves can contribute to the backlog. It is common for organizations to invest in tools that don’t deliver immediate security value because they need weeks if not months of integration work to deliver meaningful results – and until then, they are another drag on limited human resources. Worse still, misconfigured or simply low-quality tools can aggravate the whole situation by piling false alarms onto the backlog, in effect making security worse instead of improving it.
#5: Reliance on blocking instead of fixingIf you have a web application firewall (WAF), the standard way of dealing with a critical vulnerability is to temporarily block it on the firewall until a fix is ready. However, faced with too many exploitable vulnerabilities that they don’t have the resources to fix on time, companies can become overly reliant on their WAFs and start treating vulnerability blocking as a permanent rather than temporary solution. Every vulnerability that is patched on the firewall but not fixed in the application is another pebble added to your mountain of AppSec debt.
4 ways that AppSec debt hurts your organizationLike any other type of debt, AppSec debt usually creeps up on you slowly, with minor issues gradually adding up to an overwhelming backlog. In some cases, though, you can also wake up one day to discover you’re suddenly in debt and expected to deal with it, for example if web application security was never a priority for the organization – but now it is because you just had a breach. No matter how it arises, AppSec debt is always harmful in at least four crucial ways:
- Security risk: Putting off security improvements for later always increases risk. Whether it’s vulnerable components, application security defects, or assets waiting to be tested, as long as you are forced to choose what to secure, you are increasing the risk of cyberattacks with all their consequences.
- Financial drain: Dealing with a never-ending backlog is a case of running very fast just to stay in one place. Many organizations are caught in a vicious circle where they are pumping resources into security with no visible improvements – but also can’t afford to stop doing it. Unsurprisingly, many start seeing application security as all cost for no benefit, which makes it even harder to break out of the whole cycle.
- Frustration and burnout: Stuck in the middle of the AppSec debt dilemma are the security engineers, testers, and developers who actually work through the backlog. For security professionals in particular, unreliable results and tedious manual tasks that make very little difference to overall security are frustrating and can contribute to burnout.
- Obstacle to innovation: When you’re burdened by security debt, AppSec can seem like an anchor that is forever hindering innovation and sapping resources that could otherwise fuel growth. With that security backlog weighing on every decision, it’s no wonder that so many organizations see security as an obstacle to innovation.