Don't Panic

Andrew Hoog's blog on mobile security, forensics, programming and photography

Security Debt is the New Technical Debt

What is Technical Debt?

Technical debt is a popular term within the software industry. First coined by well-known programmer Ward Cunningham, technical debt is a metaphor that explains the long-term burden developers and software teams incur when taking shortcuts.

ThoughtWorks’ Martin Fowler sums up the point well:

“Doing things the quick and dirty way sets us up with a technical debt, which is similar to a financial debt. Like a financial debt, the technical debt incurs interest payments, which come in the form of the extra effort that we have to do in future development because of the quick and dirty design choice. We can choose to continue paying the interest, or we can pay down the principal by refactoring the quick and dirty design into the better design.”

A New(ish) Term

While the term technical debt has become common, security news has me thinking of a new term: security debt. For example, Snapchat, the popular photo messaging service with over 100 million users, was compromised by hackers in 2014. As a result, over 4.6 million usernames were leaked after the company ignored warnings for months. The disclosure put users at risk once their data was leaked in the wild.

You don’t have to look far to find other leading companies that have faced mobile vulnerabilities:

Security debt, the lack of proper testing techniques and security preparedness, creates long-term costs companies are merely putting off to the future. Security fails in the short term and the costs snowball in the long term.

Software developers need to improve security testing as part of their development life cycle. Paying for it now prevents paying for it in the future. We see this continually in mobile: companies aren’t paying enough up front for security or following best practices when building mobile apps.

The Vulnerabilities Add Up

These vulnerabilities highlight the fact that users, and the enterprises they are a part of, carry immense risk when companies lack the security preparations needed in today’s connected world. While the company that creates the app can suffer costs from fixing the problem, providing credit monitoring services, reputational risk or even facing regulatory action, individuals are the ones fighting for months to repair their identity. Enterprises who suffer stolen intellectual property pay even more dearly.

Far too often, we see companies growing security debt instead of paying it down in the short term. As highlighted above, proper testing and organizational awareness can cost far less than the risky alternatives.