Technical debt can lead to serious security problems. You should avoid that. […]
Schludrig developed and delivered projects can cause lasting damage to the security level of your company. This is primarily due to technical debt-the difference between what a project needs and what is ultimately delivered. As the Proofpoint white paper “2021 Voice of CISO” shows, two out of three CISOs believe that technical debt – New German technical depts – is a major factor in security vulnerabilities.
Technical debts are usually caused by “shortcuts” that make central aspects of IT projects such as architecture, code quality, usability and just a minor matter, Jeff Williams, CTO at the security provider Contrast Security, is also convinced. “The vulnerability management systems of many large companies house tens of thousands of discovered – but not resolved – security risks. In many industries, there is a crazy misconception that a far too tight budget for security initiatives and a bit of risk management are sufficient-a dangerous mistake that exposes these companies and their partners to great dangers.“
In order to minimize the impact of technical debt on security, an understanding of how bad IT projects open the door to cybercriminals is necessary. How technical debt becomes a problem for CISOs:
Technical debt is an overused term, according to Rahul Telang, professor of information systems at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy: “Basically, it means that you borrowed something to bring out the product and now you have to pay off the debt,” he explains. “It is not difficult to imagine that the security risk increases if the debt is not quickly repaid.“
CISOs should be aware that every software development project goes through phases where the code needs to be revised to close potential ones. The CISO must have a structure in place to identify potential problems before deployment, says Telang – because if the product is already in use, they are easy to overlook.
Ryan Davis, CISO of NS1, believes that the technical debt generated by the software is the biggest security risk for companies: “This includes elements that come from outside the company, such as programming languages, third-party libraries and other components integrated into the software, as well as first-party code written by internal developers.“
At some point, every software reaches its end-of-life stage and is no longer supported by the manufacturer. Unfortunately, in some cases, it can be difficult to phase out a current software product because the developer has either abandoned the offer or is no longer in business: “Then there is a risk that the continued operation of the old software creates a dangerous technical debt, as intruders and attackers may have found new ways to exploit it. The result can be devastating. We have seen many practical examples of how the security situation of a single company’s software can affect thousands of organizations worldwide,“ assures the CTO.
Strong governance is essential to prevent technical debt from becoming a security issue. David Chaddock, director at IT consulting firm West Monroe, understands the importance of considering the entire lifecycle of an asset – including the long-term operating costs and support resources needed to prevent security issues. “This requires involving security teams early in the design process,” says Chaddock.
A CISO should work within the company to create an understanding of technical debt and develop the right metrics to manage it, suggests Eugene Okwodu, director of cybersecurity solutions at Guidehouse: “The CISO should also include the cost of necessary technical updates in its budget. Technical debt often arises when IT and cybersecurity strategies collide. In order to ensure proper coordination and resolve the conflict, it may be necessary to work with an internal project management office (PMO) or seek external assistance.“
In some cases, it may take years for a technical fault to become apparent. Outdated technology, whether hardware or software, poses an enormous security risk, Okwodu is sure: “Not only is the technology in some cases impossible to replace and repair, it is usually more networked and less understood by current employees, which paves the way for potential security breaches.“
Years and sometimes decades of workarounds, updates, upgrades, and merger and acquisition activities can make technical debt particularly problematic. “Technical debt, which requires expensive system modernization, is a significant security risk for companies in any industry, especially in software systems, combined with the less common specialized knowledge,” says Okwodu.
DevSecOps is more than just a buzzword. Many security issues can be avoided if sound development practices are applied. “Insist on getting DevSecOps right from the start. This includes controls that can help visualize metrics related to vulnerabilities, ” recommends Keatron Evans, a senior security researcher at the Infosec Institute“
As programs grow, they would usually become more useful and used more often. But these characteristics could also make vulnerabilities harder to fix or mitigate: “The very energy that causes a piece of code to grow and become productive, useful, and valuable also makes overlooked security issues more devastating in the long run,” Evans explains. DevSecOps automates the integration at every stage of the software development lifecycle, effectively preventing loopholes for cybercriminals.
Withholding software security testing into the later stages of development can lead to vulnerabilities that can be difficult, time-consuming, and costly to fix.
“Delaying testing until the end of the development process can lead to massive redevelopment efforts to address safety concerns. This, in turn, can result in lost profits and a significant extension of development time,“ warns Jeremy Dodson, CISO of the consulting service provider nextLink Labs.
if it’s a collaborative effort, Dodson says, ” A CISO can make a significant contribution to creating a safety culture in your organization, especially when it comes to the development team. Changing attitudes can make a big contribution to integrating security measures into the entire design and development process.“
Barry Goff, senior director of platform strategy at low-code provider OutSystems, identified the multitude of different development languages, tools, platforms, and frameworks as one of the main causes of technical debt: “With complexity comes the mistakes. Even when problems are detected, the complexity makes it harder to fix these vulnerabilities.“
Complexity alone does not guarantee security vulnerabilities, but it increases the likelihood of them occurring and thus the costs associated with their containment, Goffe said: “Given that complexity is one of the main causes of technical debt, efforts to standardize and simplify application development tools and infrastructures can make a major contribution to minimizing the emergence of new technical debt.“
Goffe sees technical debt on the one hand as a risk driver and on the other as a barrier to innovation and IT security. For companies that wanted to return to normal after the pandemic, it is now time to address the failures caused by years of sluggish or unanticipated development work: “The more companies tackle their technical debt, the less they expose themselves to security risks and the more likely they are to maximize their ability to innovate.“
This post is based on an article from our US sister publication CSO Online.
* John Edwards is a freelance writer.