Technical debt poses a cybersecurity risk

Technical debt poses a cybersecurity risk

Are you trying to understand what “technical debt” is and why it matters? In this succinct interview, Terumi Laskowsky, an instructor at DevelopIntelligence, a Pluralsight company, explains the fundamentals and talks about the ramifications for business executives.

What is technical debt?

TL: I’ll start with the term’s original definition before moving on to how people use it today.

The Agile Manifesto co-author Ward Cunningham, who coined the phrase “technical debt,” defined it using a financial allegory: Moving ahead to create a new software application is like taking out a loan (debt).

Consider creating a product with a cutting-edge technology. There are a lot of unknowns, and there will be some trial and error. In the face of uncertainty, you make the best decisions you can with the information you now have. You use the knowledge you gain about what’s working and what isn’t to make the code better. Paying back the loan is like improving the code as you gain experience. This is a liberating idea, right?

But since Cunningham’s initial conception, technical debt has taken on other forms. Most businesses today associate technical debt with code that has known flaws and inefficiencies. You are allowing tech debt to increase if you leave that poor code in place.

Is the quest for speed-to-market causing more technical debt?

TL: Cutting corners with code quality is frequently the outcome of a focus on quick, frequent releases. Let’s just send it on its way.

Technical debt (by today’s standards) may accumulate in this manner. It’s possible that developers won’t have time in their schedules to correct code from prior releases since they need to finish new features and enhancements. A team may decide to ignore flaws rather than “spend” time on fixes unless a customer complains about the product or it flat-out fails.

Why would a company take the time to produce clean code later if they don’t make the time to do it initially?

If you don’t go back and fix the code, the debt will continue to accumulate. Interest is being paid on it. This “interest” could manifest in a variety of ways, such as unhappy consumers or a low market share because your product falls short of what the competition is providing.

How does technical debt affect security?

TL: Organizations frequently release code that has obvious security flaws in order to satisfy performance targets.

Any flaw that potentially result in the compromising of data, systems, a brand’s reputation, etc. is known as a vulnerability. The possible repercussions a company can experience if an attacker is successful in exploiting these vulnerabilities are referred to as IT security risks.

Businesses and developers must strike a balance between the need for speed and the considerations of functionality, usability, and security. These priorities, however, clash.

What if a product’s security features make it more difficult to use? the winner security, usability, or functionality Security is more likely to prevail if you work in the government or a sector that is heavily regulated. But for everyone else, usability and functionality far too frequently take precedence over security.

What will happen if a corporation doesn’t put security first and instead has a culture of “must move fast, therefore let’s put it in later”? Speed is lethal, just like with cars.

Another crucial point is that a company might produce clean code while yet compromising security. Both clean code and a security emphasis are required.

Who is responsible for application security?

TL: Security is still often considered a secondary concern by software development teams. They can believe that it is the fault of someone else or that it will be dealt with at a later stage in the life cycle of software development. A programmer’s typical task is to invent new things. Frequently, the person is not an expert in security. Software engineers must receive secure coding principles training in order to write code with security in mind.

Every software development team must also consult a requirements document as they create the final product. This document outlines the specifics of what the software must be able to perform (functional requirements), together with other essential but potentially obscure aspects (non-functional requirements such as security).

Although an early security failure can pose a serious danger to the business, many firms do not teach their programmers this information or establish thorough security requirements at the commencement of the project.

What security issues can technical debt cause?

TL: Security controls in the code or system are the most typical source of issues. the National Institute of Standards and Technology (NIST).

Security measures are in place to reduce any risk. Because of a “we’ll do it better later” mentality, if these controls are absent or inadequately implemented, the business may be held accountable for failing to exercise due diligence and good governance to safeguard the systems and data of its stakeholders.

The distinction between “bolt on” and “built in” security is discussed by IT professionals. Security is not a feature that can be added after the fact to a product. It must be integrated from the beginning. It is more difficult to get security correctly afterwards the more you disregard or postpone focusing on it.

Refactoring (redoing) the code to address any vulnerabilities is the best way to make it secure. Otherwise, security problems would continue. A bandage on a deep wound is analogous to tacking something on top as a “fix.” The bandage doesn’t treat the damage; it just buys you some time to get to the doctor.

If you have to go back and rework, your emphasis on speed may end up costing you more than the benefit you thought you were gaining.

How can business leaders help reduce technical debt?

TL: It’s critical for all business leaders to have a clear understanding of technical debt—what it is, what generates it, and the possible security implications—so that you feel empowered to raise questions about it. This is because more and more business risk is linked to technological risk.

If speed and automation are valued in your company, you’re probably racking up technical debt. Therefore, you should confirm that the debt is reasonable.

Your business’s speed and agility will rise with the correct kind of technical debt. The wrong kind of technical debt can unnecessarily increase the security risk to your firm. Discuss this difference as a leadership team. The behaviors that keep technical debt under control—or, alternatively, enable it to explode—are driven by the business priorities you prioritize.

The C-suite must assist the CISO in ensuring that software project participants, including developers, have the most up-to-date security knowledge. Have you given your programmers secure coding training? Are you aiming to enforce security best practices with your CI/CD process by incorporating as much automated security testing as you can?

IT security needs to be prioritized, and the C-suite needs to set the correct example for developers. What leaders reward, developers will follow. Your organization’s cybersecurity risk may increase if you choose speed over security and code quality.

Total Views: 36 ,
By Master James

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts