Wade Baker, Ph.D.’s Post

As always, Cyentia cuts straight to the most important insights. 

Veracode recently released their latest edition of their State of Software Security report. Cyentia Institute has analyzed the massive dataset underpinning this research series for several editions, and we had that privilege once again this year. I'd like to share one of my favorite charts from that report. One of the primary challenges in #appsec is dealing with technical debt. Security debt is a subset of that which includes security flaws that persist in the codebase for long periods of time. How common is that? The attached figure categorizes all flaws identified across the entire codebase of the typical organization into four quadrants. The horizontal separation is between critical and non-critical security flaws. The vertical axis divides flaws that are currently debt (older than 1yr) vs. those that aren’t (yet). Close to two-thirds (64%) of all flaws are neither debt nor critical severity. We’re not saying ignore those (or they’ll eventually become debt), but remediation of those flaws can be deferred in favor of those that represent greater risk. The same can be said for non-critical debt, which accounts for another 21% of all flaws. Thus, 85% of flaws across your applications don’t deserve top priority from your development team. Instead, focus their finite remediation capacity on the 3% of flaws that constitute critical debt. Once they’ve tackled those, focus them on fixing the remaining 12% of critical flaws so they never become debt in the first place. I'll explore whether that's a realistic goal based on flaw remediation capacity in a future post. Download the full report here: https://lnkd.in/eMSgPcs8 #devsecops #softwaredevelopment #applicationsecurity #softwaresecurity

This could be your Biggest Cyber Risk? Legacy IT Debt While companies invest in modern cybersecurity like zero trust architectures, the real ticking time bomb is their accumulation of legacy IT systems and technical debt. Estimated at $1.52 trillion to remediate, this decaying codebase of obsolete programming languages and insecure applications carries immense risk. From the high-profile systems meltdown at Southwest Airlines to major breaches at tech giants, we've seen the catastrophic consequences of neglecting technical debt. Yet businesses remain distracted, prioritising new features over securing their crumbling foundations. The awkward truth is our most critical systems - banking, government, defense, etc. - are held together by outdated code like COBOL, often poorly documented with nobody understanding its intricacies. These arcane applications bristle with unpatched vulnerabilities that cyber criminals are actively exploiting. Businesses are burying their heads in the technical sand at their own peril. While shiny new zero trust implementations grab attention, it's the $1.52 trillion legacydebt weighing down their cyber defenses. From operational resilience to national security, this lingering technical debt poses an existential crisis we can't afford to ignore. It's time to look past the bright lights of the latest cyber tools and confront the silent menace of antiquated IT ecosystems. Your biggest vulnerability might be what you've overlooked for decades. Prioritising strategic modernisation to erase technical debt could be the difference between cyber resilience and a devastating breach. Credit for goes to Lawrence Munro and his great Cyber news letter for sharing the article #legacysystems #technicaldebt #cyberriskmanagement https://lnkd.in/eKUEhzib

Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code. Veracode CTO Chris Wysopal dives into how to mitigate your security debt in DEVOPSdigest:

Great article from WSJ with some alarming insights on technical debt. Technical debt exposes organizations to many software vulnerabilities which led to dozens of hacks in the past 12 months and it costs the U.S. $2.41 trillion a year in cybersecurity and operational failures. Plus it can stifle innovation and growth. To get a handle on this you need to have clear observability of your entire IT estate. One way to do it is with #Kyndryl Bridge https://lnkd.in/eaDgX88t which offers a unified platform to inventory & prioritize technical debt across your IT landscape. It can help automate tedious tasks and standardize coding practices for effective debt reduction. It can help to facilitate collaboration and track progress with real-time insights. If you're looking to reduce your technical debt and unlock business growth, you may want to investigate Kyndryl Bridge. #digitaltransformation #technicaldebt #kyndryl #theheartofprogress

Technical debt describes the accumulation of quick fixes and outdated systems within a company’s IT infrastructure. Often overlooked, tech debt can lead to system failures, slower innovation, and security breaches. Failure to address tech debt not only impacts finances and innovation but also poses security risks, as sophisticated adversaries can exploit vulnerabilities in outdated systems. Want an easy way to start addressing tech debt? Adopt well designed and maintained SaaS systems rather than adding more Franken-features to older systems. #saasproduct #techdebt #itinfrastructure #security https://lnkd.in/gvTMkMK8

Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code. Veracode CTO Chris Wysopal dives into how to mitigate your security debt in DEVOPSdigest.

Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code. Veracode CTO Chris Wysopal dives into how to mitigate your security debt in DEVOPSdigest.

Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code. Veracode CTO Chris Wysopal dives into how to mitigate your security debt in DEVOPSdigest.

•While some use AI as a “bug light” of distraction, core infrastructure systems are being under invested •Looming around the corner is a layer of technical debt that is already hindering enterprise growth goals •Legacy systems need to be optimized, applications rationalized and core systems invested in (eg cyber)