Debt is a drag. It introduces unnecessary risk and holds you back from achieving freedom in life. Financial debt makes it more difficult to qualify for loans, buy homes, and save for your future. On the security side of the house, debt can be just as detrimental to growth with negative impacts on security posture; as with monetary debt, application security (AppSec) debt (a type of technical debt) comes with the cost of stifled innovation and greater risk.
Security debt is a buildup of quality control issues and flaws that make it more difficult to improve or build upon systems down the road because they include poorly executed workarounds and insecure design elements. In short, it is debt that prevents you from taking the necessary steps to grow your business securely and can even contribute to company-shaking breaches as it widens your threat landscape. That’s bad news.
The risks and repercussions of looming security debt
Although the total price tag of a data breach is notoriously difficult to estimate, they can cost, on average, around $4.35 million. The lasting impacts on financial growth and internal employee confidence are real and stem from long-lasting issues like security debt. Dan Murphy, Distinguished Architect at Invicti, knows the consequences that can come from subpar security practices when organizations don’t pay attention to glaring issues like unresolved technical debt.
“When security debt comes due, developers and security personnel are the ones upon whom it crashes down,” he explains. “Oftentimes, developers live with the burden of knowing many ways that the systems they work on can be exploited, but they lack the time and resources to fix the problems.” This churns a vicious cycle of anxiety over unresolved security issues, leading to stifled security posture and overworked teams.
Incidents that result from poor security posture only serve to feed into looming debt and increase risk down the road. And if left unchecked, debt can clearly become an unnecessary stress point for security and development teams alike as mounting issues hold them back from effective remediation and hamper their ability to create more innovative (and secure) web applications.
A strategic solution to help improve security posture
Security debt can impact both developers and security professionals equally while causing unnecessary stress as compounded problems loom large. It slows development when bogged down with unchecked issues and can even come back to bite teams after deploying applications tied to existing debt.
What causes security debt in the first place? The source can vary:
- Rushing to push code to production without scanning everything first or implementing the right security checks.
- Upgrading tools and processes while neglecting critical dependencies and stifling modernization.
- Working in siloed teams without sharing information and closing knowledge gaps to improve security posture.
- Choosing tools that lack accuracy and automation – the key drivers for continuously improving security posture.
Adding more fuel to the fire, the longer security debt lingers, the more detrimental it can become – especially when open-source code is in the mix. Murphy explains, “Old debt tends to be dangerous when it comes to third-party components. Over time, more bad guys know about a key vulnerability, exploits become more readily available, and toolchains that automate the attack start to proliferate.”
That means technical debt can easily become a source of stress for DevSecOps teams. It gets harder (and more expensive) to fix as people change seats and knowledge is lost. Working to reduce debt every month is the best way to avoid compounding interest and get ahead of those costly breaches. Here’s how to get started.
Step 1: Know and secure your entire attack surface
There’s an adage in AppSec that rings true for every organization: you can’t secure what you don’t know about. Your threat landscape is likely much larger than you realize, with components and dependencies floating in the ether and contributing to lingering debt.
By understanding your entire attack surface, it’s easier to discover where debt looms in your threat landscape so that you can come up with a smart plan for attack. That’s especially important as developers work faster than ever before, generating debt and contributing to subpar security posture as they race to meet deadlines. Ultimately, it comes down to visibility:
“Giving developers access to modern cloud-based tools has allowed tremendous productivity gains – it is possible to use infrastructure-as-code to orchestrate a whole fleet of virtual machines in a few minutes,” Murphy says. “But all that automation also makes it possible to leave a trail of orphan machines that are unloved and unpatched, waiting to be exploited. Knowing what you have deployed is absolutely vital to creating any plan to reduce technical debt.”
One of the key ways to achieve this is through continuous asset discovery paired with a software bill of materials (SBOM), which enables teams to quickly locate and more effectively update every web asset that could potentially be a point of attack for bad actors. With a complete web inventory and a clearer view of the software supply chain, organizations have a better handle on their attack surface and can spot areas where debt is problematic while also drastically reducing the amount of new debt that’s added down the road.
Step 2: Prioritize remediation with a customized strategy
Every organization is different and has unique challenges to manage around risk, which makes intelligent prioritization even more critical. When approaching technical debt, organizations need to take into account what their specific threat landscape looks like, which applications and components pose the greatest risk, and what they can take care of most efficiently.
“When approaching debt, it is important to perform risk assessment and triage,” Murphy says, noting the criticality of good strategy around prioritization. “Not all critical vulnerabilities are the same – with infinite resources we’d of course fix them all, but that isn’t usually the case for most organizations.”
Because of this, Murphy underscores that security teams should give priority to business-critical systems proven to be exploitable using a reliable dynamic security (DAST) tool. Having that proof point from accurate security scans not only enables more strategic prioritization but also provides evidence up the chain that efforts to reduce security debt are worth it – and paying off.
Step 3: Automate everything to save time (and sanity)
Automation does more than just take care of those everyday tedious tasks for you. In AppSec, automation helps save time and reduces stress, and when it’s coupled with accuracy, that means teams can spend less critical time trying to verify results or remediate a breach and more time working on building innovative applications.
Noting how easily DevSecOps teams can become overwhelmed, Murphy reminds us that the very knowledge of looming security debt can cause unnecessary stress and lead to manual work. “Whether there is an out-of-date library that you know you should really patch, or a poor handling of a parameter you have that bad feeling about, each of those tiny items of debt presents a potential weekend lost to an incident, or many, many hours wasted in a meeting poring over the details of a breach.”
With accurate automation at the helm, the guesswork is eliminated and teams don’t have to wonder what they should fix first, nor do they need to worry about debt when not working. And as prioritization becomes easier, so does paying down debt that threatens to hold teams back from innovation.
Start moving towards reducing your security debt
Feeling stressed and stifled by a mountain of debt? Watch our webinar to see how you can translate technical debt into a positive business experience and turn the tide on your security posture.