Technical debt poses a cybersecurity risk

October 5, 2022

Why does “technical debt” matter? Terumi Laskowsky, an instructor at Pluralsight’s DevelopIntelligence, explains the basics in this interview.

What is technical debt?

TL: I’ll start with the original definition before discussing modern usage.

Agile Manifesto co-author Ward Cunningham popularized the term “technical debt” He compared creating new software to taking out a loan (debt).

Create a cutting-edge product. There are many unknowns, so trial and error is inevitable. In the face of uncertainty, make the best decisions you can. You use what works to improve the code. Repaying a loan is like improving programming with experience. Yes, it’s liberating.

Technical debt has changed since Cunningham’s time. Most firms today link technical debt with bad coding. Poor code increases tech debt.

Is the quest for speed-to-market causing more technical debt?

Focusing on frequent releases often leads to sloppy coding. Send it off.

Today’s technical debt can accumulate this way. Due to new features and enhancements, developers may not have time to fix old code. Unless a consumer complains or the product fails, a team may elect to disregard faults.

Why would a corporation later develop clean code if they didn’t initially?

Without fixing the code, the debt will grow. It earns interest. This “interest” could materialize as angry customers or a low market share because your product lags behind the competition.

How does technical debt affect security?

To meet performance requirements, organizations often release programs with glaring security issues.

Vulnerabilities are flaws that could compromise data, systems, or a brand’s reputation. IT security risks are the consequences for an organization if an attacker exploits these flaws.

Businesses and developers must balance speed, usability, and security. Priorities conflict.

What if product security makes it harder to use? Security, usability, or function Working in the government or a strongly regulated area increases security. Usability and functionality often trump security for others.

What happens if a company prioritizes speed over security? Speed in cars is deadly.

A corporation can develop clean code while compromising security. Security and clean code are necessary.

Who is responsible for application security?

Software development teams rarely prioritize security. They may think it’s someone else’s fault or that issue will be addressed later in software development. Programmers often innovate. Often, they aren’t security experts. Software engineers must be trained to write secure code.

Every software development team must review a requirements document. This paper explains the software’s functional requirements and other vital but opaque characteristics (non-functional requirements such as security).

Many companies don’t teach their programmers about early security failures or define extensive security criteria at the project’s start.

What security issues can technical debt cause?

TL;DR: The most frequent cause of problems is security measures in the code or system. NISTE, the National Institute of Standards and Technology (NIST).

To lessen any risk, security precautions have been put in place. If these controls are missing or implemented incorrectly owing to a “we’ll do it better later” mentality, the firm may be held liable for failing to conduct due diligence and good governance to protect the systems and data of its stakeholders.

IT experts debate the differences between “bolt on” and “built in” security. A product cannot have security features that are later added. It needs to be implemented right away. The more you ignore or put off focusing on security, the harder it is to achieve it afterwards.

The best technique to make the code secure is to refactor (redo) it to fix any vulnerabilities. If not, security issues would persist. An analogy for applying a bandage to a serious wound is doing so as a “fix.” The bandage only buys you some time till you can see the doctor; it does not repair the injury.

Your emphasis on speed may end up costing you more than the value you thought you were obtaining if you had to go back and redo something.

How can business leaders help reduce technical debt?

To be able to raise concerns about technical debt, corporate leaders must have a thorough understanding of what it is, how it is created, and any potential security repercussions. This is due to the growing connection between technology risk and commercial risk.

You’re probably accruing technical debt if your organization places a high priority on automation and speed. You should therefore verify that the debt is reasonable.

With the right kind of technical debt, your company’s speed and agility will increase. The incorrect kind of technical debt can unnecessarily raise your company’s security risk. The business priorities you prioritize determine the behaviors that keep technical debt under control—or, conversely, allow it to expand.

The C-suite must work with the CISO to guarantee that everyone involved in a software project, including developers, has the most recent security information. Have you provided secure coding training for your programmers? Are you trying to use as much automated security testing as you can in your CI/CD process to enforce security best practices?

Prioritizing IT security is necessary, and the C-suite must set the right example for programmers. Leaders will encourage developers to follow them. If you choose speed over security and code quality, your organization’s cybersecurity risk may rise.

Leave a Reply

Your email address will not be published. Required fields are marked *