Letting financial debt get out of control can be very dangerous.
Making the required basic payments on a credit card monthly and avoiding debt collectors doesn’t solve the underlying issue: interest keeps accumulating, creating bigger issues over time. All kinds of debt accumulate interest over time, which then can create problems in the future.
Unfortunately, there is a kind of debt in business IT – security debt – that can cause major risk and that accumulates in a similar way to personal debt. For the purpose of this article, I understand security debt as software flaws that are not fixed for longer than a year. If these flaws are not fixed, over time the debt keeps growing, making it easier for attackers to exploit the wide range of vulnerabilities.
Research found that seven out of 10 organisations have some level of security debt, and nearly 50% of all firms have high-severity, persistent flaws, also known as ‘critical’ security debt. Thankfully, despite the gloomy numbers, there are ways to significantly reduce an organisation’s security debt.
How did we get here?
Before we delve into how to reduce security debt, it is important to reflect on how we got here. The main reason behind the mounting security debt is that organisations are not prioritising well enough and therefore not focusing on fixing the flaws that pose the greatest risk: the critical ones.
Application age and size play a significant role in the accumulation of security debt. We have repeatedly observed a recent bias in the way developers fix security flaws: the more time that passes from a flaw appearing, the lower the chance it will ever be fixed. Recent research found that 42% of all flaws roll over to become security debt, so the older the app, the higher the debt accumulation.
Application size is also key. As the codebase of most applications grows over time, it is only logical that there is a correlation between age and the accumulation of older, unremediated flaws. Large applications therefore have the highest proportion of security debt, with 40% of them having security debt, and 47% having critical debt. And while it is not always the youngest and smallest apps that have the least debt, older monolithic applications present a greater challenge.
Flaws in open-source third-party code tend to become security debt slightly faster than first-party code. What’s more, third-party flaws tend to emerge continuously as new vulnerabilities are discovered by security researchers. This means, unless organisations keep their libraries up to date, applications will accumulate more and more risk as time passes, even if nothing has been added to the codebase
Another major factor contributing to an organisation’s compounding debt is the increased use of generative AI to write code – a practice that will only increase over time, with Gartner predicting 75% of enterprise software engineers will use AI code assistants by 2028. Using AI is not a problem in and of itself; AI-generated code is not inherently less secure than human-generated code, but it’s also not more secure. The problem is an over-reliance on AI and the erroneous assumption that it will automatically produce properly functioning, flaw-free code. Large Language Models used to generate code are often trained on insecure open-source projects and other publicly available code, meaning AI-generated code can be insecure as well. Failure to vet this code properly adds to an organisation’s security debt over time and may even accelerate security debt as AI helps developers code faster than ever.
It is also important to note that security debt is not solely the result of mismanagement, poor decisions, or failure to execute. Time and resource pressures mean developers and product managers must decide which flaws to fix and which to let lie.
AI vs AI
Thankfully, innovation is slowly lifting the pressure on development teams. New technologies like AI, when implemented with appropriate safeguards, mean developers need not leave so many flaws unaddressed – or have their time and resources spread so thinly. AI has already fundamentally changed the paradigm of future business. Although it may seem counter intuitive based on the aforementioned risks, we are in an age where we need to consider fighting AI with AI.
Let’s consider the role that AI should play in both creating and safeguarding our software. AI can make the dream of accelerating code fixes a reality, however, it’s up to us to harness its power responsibly.
AI-driven tools, particularly those based on GPT models with supervised training on curated security-specific datasets, excel at cybersecurity tasks. These models can provide highly reliable flaw remediation suggestions, ensuring that vulnerabilities are addressed promptly and effectively. However, it is crucial that any tool handling source code, especially for security purposes, maintains the highest standards of data integrity and security.
Incorporating AI into the software development lifecycle not only enhances efficiency but also has the potential to fortify the security posture of applications. By identifying and addressing vulnerabilities early, development teams can deliver robust, secure software that meets the ever-evolving demands of the digital landscape.
Introducing AI to tackle security debt
Being aware of a flaw is not the same as fixing it. That is why frequent code scans do not always correlate with less debt. Knowing is only half the battle; the other half is doing something about it.
Continuous scanning must come with continuous fixing, but even the biggest teams with ample resources typically do not fix all their flaws. The problem has grown beyond the ability of humans alone to manage it, so AI-powered tools are becoming necessary. Despite fears from many that it could be a threat to security, the truth is Artificial Intelligence is increasingly part of the solution to help developers fix more efficiently.
Leveraging AI, developers can shift security left in the development cycle, meaning they identify and fix vulnerabilities as they write code. This proactive approach allows organisations to detect and address potential security risks at an earlier stage, reducing the likelihood of costly and time-consuming issues later down the line.
Building a safer future
AI will continue to revolutionise the way we approach technology and security in the near future and beyond. Seven out of ten organisations are currently experiencing significant security debt backlog, and with an ever-growing number of vulnerabilities, development teams are going to need all the support they can get to reduce it. Software security in the future will be less about identifying and fixing vulnerabilities. More of the focus will instead be on preventing software vulnerabilities from making it into the code in the first place. Technologies like AI can make code-fixes much faster, particularly if the software has been trained to work alongside developers as an aid that suggests how to secure fixes at scale. Being able to ensure secure code at scale will be life-changing for developers struggling with capacity constraints to tackle security debt, and not just the most critical kind.
About the Author
John Smith is EMEA Chief Technology Officer at Veracode. Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.
Featured image: Adobe Stock
