Two in three CISOs believe that technical debt, the difference between what’s needed in a project and what’s finally deployed, to be a significant cause of security vulnerability, according to the 2021 Voice of the CISO report, sponsored by Proofpoint.
Most technical debt is created by taking shortcuts while placing crucial aspects such as architecture, code quality, performance, usability, and, ultimately, security on hold, says Jeff Williams, CTO of application security platform provider Contrast Security. “Many large organizations are carrying tens or hundreds of thousands of discovered but unremediated risks in their vulnerability management systems,” he explains. “In many sectors there’s this insidious idea that underfunded security efforts, plus risk management, are almost as good as actually doing the security work required, which is dangerously wrong.” It’s an approach that exposes enterprises and their partners to significant harm, Williams says.
Minimizing technical debt’s security impact begins by understanding the various ways poorly executed projects can open the door to intruders and attackers, and how discovered vulnerabilities can be quickly and safely sealed. Here are seven ways technical debt can become a problem for a CISO.
1. Dodgy software
Technical debt is an overused term, says Rahul Telang, a professor of information systems at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy. “Basically, it means that you’ve borrowed something to get the product out, and now you have to pay the debt,” he explains. “It’s not hard to imagine that unless you pay your debt quickly, you’re increasing the security risk.”
Original article source was posted here