Your Security Debt is Due. Here’s How to Pay it Off 

An acceleration in major supply chain attacks, from SolarWinds to the Microsoft Exchange Server attack to the ransomware spread through Kaseya, should have every developer looking in the mirror and doing some soul-searching. For too long, security debt has been left to accumulate, posing a potential risk to every user and customer.

An analysis by Veracode and the Cyentia Institute found that among 130,000 active applications, 76% had at least one flaw and 24% had high-severity flaws. According to a report by F-Secure and Omnisperience, a whopping 72% of CISOs surveyed say adversaries are moving faster than their security teams, and 69% admit that adversaries have improved their attack capabilities within the last year and a half.

Security debt remains so persistent because it’s time-consuming and inconvenient to fix. Security teams aren’t brought into the development process early enough and resolving security issues remains a largely reactive pursuit. To make any real progress against the tide of security debt, we need a new approach.

Paying Down Security Debt

Just like any financial situation, security debt can get out of control quickly if it’s not organized, recorded and addressed.

Capture, prioritize, execute

Whether each application has its own risk register or you have a centralized risk register across multiple applications, it can be hard to understand dependencies. If you close one security gap, does that fix issues with several applications? Should you address a segment of the debt with the highest interest rate? Is the gap specific to a single application? By properly organizing and recording the debt you have, you can more easily prioritize it.

From there, you can prioritize debt in a few different ways. First is by risk: which debt puts your organization most at risk? It makes sense to tackle the riskiest vulnerabilities first – these are the ones that are most likely to leave you and/or your customers the victim of a cyberattack.

Another strategy is to be opportunistic and tackle security debt when development teams are already touching a certain part of the application. Business enablement is another consideration. By paying down specific debt, you may be able to enable the development team to move faster or meet specific customer needs.

While these strategies can help make progress against security debt, they’re ultimately just mitigating fixes; short-term solutions that, in the end, are just a series of band-aids. We need a way to scale those efforts to pay down debt fast enough to make a meaningful dent.

An IaC Opportunity

As more development teams adopt infrastructure-as-code (IaC), they’re moving faster than security can keep up. Fortunately, they’re also able to address security debt more easily.

By codifying the entire application architecture in IaC, developers don’t have to manually update the network, storage, compute and other cloud resources. By changing lines of code, they redesign the entire application. This helps significantly reduce the cost of making architectural changes.

Fundamentally, the cloud and IaC have allowed developers to quickly and consistently make changes to the application architecture and even automate those changes. This same automation can help development teams quickly address their backlog of security debt and scale their efforts to the urgency of the task without doubling back to refactor every application. Using automation to identify and remediate bad patterns in your IaC can help you quickly address security debt across your application portfolio.

Prevent Security Debt 

Security teams’ lack of involvement during early stages of development is one of the leading ways that security debt builds up. By the time they’re able to offer input, it’s too late to start over, and mitigating measures are often difficult to implement. With IaC, your security best practices can be incorporated directly into the application architecture as it is being built. By automating security from the start, it’s part of the very design of the application. Automation can also help teams quickly address any inherent gaps or vulnerabilities in cloud service provider capabilities by updating the IaC when cloud service providers release updates or new features so that your applications are as secure as possible.

Security debt has been the elephant in the room for years. Given the acceleration of third-party attacks, it’s no longer an option to ignore or delay the necessary fixes. Fortunately, IaC allows the kind of speed and automation we need to make meaningful progress in paying down debt.

Avatar photo

Aakash Shah

Aakash Shah is the co-founder and CTO of oak9. Before oak9's founding, Aakash spent 17 years working in a wide range of roles. In his past roles, he focused on building & evolving information security practices, developing security strategies & architectures, conducting cutting-edge research, building security products, contributing to industry standards, and teaching information security courses.

aakash-shah has 1 posts and counting.See all posts by aakash-shah