What is security debt?

What causes security debt? Adam Boland of SES explores the implications of mounting security debt and how you can remedy it.

Security Debt

What is security debt?

Security debt refers to the accumulation of unpatched vulnerabilities in your software which make it harder to defend your organisation against cyber threats.

Security debt and technical debt are similar in that if you don’t pay off your debt, you’ll end up paying off just the interest and not the principal debt. However, security debt doesn’t just hold up future developments of a project, the accumulation of vulnerabilities in your software exponentially increases the risk that your organisation will suffer future attacks.

Recently, a credit reporting giant was successfully breached as it failed to patch a known vulnerability. The patch in question had been available for months when the company was attacked. The breach compromised the personal data of more than 147 million people.

What causes security debt?

There are numerous causes of security debt, with some of the most common examples including:

  • developers failing to thoroughly test software applications throughout the development process
  • pressures to finish the project can be so great that software applications can be rushed out with the intent to fix known vulnerabilities later
  • the fixing of vulnerabilities keeps getting pushed back in favour of further development of the application and its features, increasing the existing security debt

How do you eliminate security debt?

Whilst fixing vulnerabilities during your development process is the most cost-effective way of reducing security debt, it can also be reduced after launch - though this can be costly in both time and money.

You can only protect what you know you have, so a good starting point to address your security debt is to create a thorough inventory of all your software assets – proprietary and open source. You also need a software bill of materials, or a list of software companies for each asset you maintain.

While the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) list do not cover every vulnerability out there, they can help you practice risk management. Eliminate the biggest risks first and then work your way down to those that still matter but aren’t as dangerous.

The same is true for the OWASP Top Ten. While it does not list specific vulnerabilities, it tells you which software weaknesses are most likely to lead to vulnerabilities. This list is particularly useful while a project is still in development. If you can keep weaknesses out of your codebase, you can prevent them from becoming vulnerabilities after release.

How do you prevent security debt?

Once you’re out of debt, you should work to stay out of debt. A software composition analysis (SCA) tool will help you discover the open source components you’re using so you can mitigate any vulnerabilities they contain and address potential licensing problems.

Consider each of these software security testing tools and services for your toolkit:

  • ARA (architecture risk analysis) flags possible structural flaws in a program during the design stage
  • SAST (static application security testing) uncovers security and quality defects in code during development and build stages
  • IAST (interactive application security testing) detects vulnerabilities as a program is interacting with external input during testing and QA stages
  • DAST (dynamic application security testing) finds vulnerabilities in running web applications during testing and release stages
  • fuzz testing “attacks” systems, apps, and services with random, malformed inputs to test their robustness, safety, and security
  • penetration testing generally occurs at the end of the SDLC, where white hat hackers see if they can exploit any remaining weaknesses in a program

About the author

Adam Boland is an Account Director at SES and has 18 years’ experience protecting businesses continuity with Software Escrow and Cyber Security protection. SES protect over 2,500 Software Developers, IP Owners, Distributors and End Users in over 40 countries across the world.

See also

Phishing: What is it and how can you protect your business?

Penetration testing: how to protect your business against cyber threats

An introduction to Software Escrow

Find out more

National Vulnerability Database (NVD)


Image: Getty Images

Publication date: 4 October 2021

Any opinion expressed in this article is that of the author and the author alone, and does not necessarily represent that of The Gazette.