Now more than a decade old, the concept of technical debt in software development refers to the accumulated workarounds and poor design choices that are the result of quick fixes that make software harder to extend and improve.
Software security debt has a similar impact on software development, but specifically accounts for the cost of having known, but unmitigated, vulnerabilities in the codebase.
Because software vulnerabilities are least expensive to mitigate during development and most expensive after deployment, companies need to prioritize fixing—or at least mitigating—issues as soon as possible.
Some are having success. About half of applications show a net reduction in vulnerabilities over time, while 20% of applications essentially show no change, according to application-security firm Veracode's most recent "State of Software Security" report.
In 2019, however, only 29% of applications had all of their flaws fixed, while 16% of applications had no flaws fixed, and the rest had vulnerabilities remaining, the report said. Yet paying down security debt is a possible, albeit long, process.
Here are five ways application security and development teams can burn down debt.
1. Pick your approach
Tim Mackey, principal security strategist at Synopsys, said that knowing the security and technical debt will inform how you approach security, performance, and scalability issues.
"It gives an idea of what the latent risk is in the application, because at some point, someone is going to want to move on to rearchitecting the application or designate the application as legacy."
—Tim Mackey
There is no one correct way to deal with software security debt, but there are two camps that teams typically fall into. There is the "under no circumstances will we have any vulnerabilities" camp, and there is the "let sleeping dogs lie" camp, said Synopsys' Mackey.
The first is a zero-debt policy. But if you have 100 vulnerabilities that are discovered by a security scan, and you task your development team to burn down those issues, you incur a cost in lost development time, he said.
Jimmy Rabon, Director of Product Management at Micro Focus' Fortify, said zero-debt was in reach with better communication between teams.
"An application security team's mission should be delivering accurate and timely data to a developer while they are actively developing the feature. This is the key to preventing security issues from being a large part of your overall technical debt."
—Jimmy Rabon
The second approach—of only tackling the major issues—leaves the application potentially open to attack, especially if any issue is found to be more serious in the future.
"It boils down to the structure of your team, and I've seen both of those work well. Part of it depends on the type of issues uncovered. The importance of the application is another major factor, which is where threat modeling comes into play."
—Tim Mackey
2. Out of sight, out of mind
Some 21% of software vulnerabilities are fixed in the first month. Another 9% are fixed in the second month after discovery. Every successive month after that, the chance of vulnerability getting patched declines steeply.
The overwhelming number of security issues are older unfixed issues—security debt—that most application-security professionals do not think they will have time to deal with, said Chris Eng, chief research officer at Veracode.
This "recency bias" means that once a vulnerability is pushed down the to-do list, developers are less likely to patch the issue. Developers for only 27% of applications have successfully paid off their security debt. In other words, they've fixed more vulnerabilities in a year than the number discovered by scans, according to Veracode's data.
"Many CISOs take a look at software security debt and, they don't believe it's realistic to get rid of it entirely. They would love to do it, but there is a point of diminishing returns."
—Chris Eng
3. Prioritizing vulnerabilities matters
Companies are prioritizing what they fix, and that is a good way to get the most important vulnerabilities patched. More than three quarters of high-severity flaws are addressed by developers, compared to a fix rate of 56% for all flaws.
While it's important to address all flaws, addressing the most critical issues is a good start.
"We’d like to see more of a PIFO (Priority In, First Out) approach, where any debt that accumulates consists only of inconsequential flaws," the company's report said. "But that's not the way things appear to work in practice. Reality suggests there's a capacity element involved in the debt equation, in addition to prioritization."
4. Consider outsourcing old debt
In 2019, the average application vulnerability was fixed in about two months, about the same as a decade ago. However, the mean—driven by outlying security issues that remain unfixed—is nearly three times that.
By drawing a line between net-new and existing debt, companies can remove the burden of old security debt from the responsibility of in-house developers, and instead task outsourced programmers to handle the issues. Then, the company can teach development teams to handle the latest vulnerabilities, require them to complete certain tests before checking in code, and prevent new debt from accruing.
"You are not disrupting the bandwidth of your current teams, but saying, 'From [now] onward, nothing gets shipped with flaws in it. This approach makes it seem more achievable, like it's something we can actually do, rather than the feeling of doom a developer gets when they are handed a large bucket of flaws."
—Chris Eng
Tracking old debt is also useful so that when the application is refactored or rearchitected, developers can make any security debt go away by removing paths of weaknesses.
5. More frequent scans drive down debt faster
Companies that regularly scan their applications for security vulnerabilities tend to drive debt down faster. In addition, applications that are scanned more often tend to have less debt overall.
This includes teams that have good habits around scanning, and are doing it frequently, in an automated fashion built into their pipelines, Veracode's Eng said.
"We see correlation between that behavior and less debt. They just have good security hygiene overall."
—Chris Eng
The most important step the companies can take is to recognize their problem and try to get a handle on security debt.
"You don't want to be kicking the can down the road forever. You want to make sure that you change the process."
—Tim Mackey
At the end of the exercise, there should be a checkbox and things should be reviewed, he added. "Those point-in-time decisions are what come back to haunt you."
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
