Ignored security flaws don’t just disappear – they accumulate and create ticking time bombs for businesses. In the IT world, security debt – the accumulation of unresolved software vulnerabilities – mirrors the risks of financial debt, where even the smallest oversights can snowball into significant threats. If remaining unaddressed, these flaws act as fertile ground for actors. As vulnerabilities persist, organisations face escalating risk, where each unresolved issue increases their exposure to exploitation.
Security debt is a pervasive issue, with research revealing 74% of organisations currently carry some level of it, and nearly half have vulnerabilities that are considered critical. While these figures are concerning, there are decisive actions businesses can take to mitigate their security debt and prevent it from escalating further.
From oversight to crisis: how security debt continues to grow
Before we delve into how to reduce security debt, it is important to reflect on how we got here. The main reason behind the mounting security debt is that organisations are not prioritising well enough and therefore are not focusing on fixing the flaws that pose the greatest risk: the critical ones.
Application age and size play a significant role in the accumulation of security debt. We have repeatedly observed a recent bias in the way developers fix security flaws: the more time that passes from a flaw appearing, the lower the chance it will ever be fixed. Recent research found nearly two fifths of all critical security debt are found in older applications (over 3.4 years old), meaning the older the app, the higher the debt accumulation.
Application size is also key. As the codebase of most applications grows over time, it is only logical that there is a correlation between age and the accumulation of older, unremediated flaws. Large applications therefore have the highest proportion of security debt, with 40% having unresolved flaws and 47% dealing with critical debt. And while it is not always the youngest and smallest apps that have the least debt, older monolithic applications present a greater challenge.
Flaws in open-source third-party code tend to become security debt slightly faster than first-party code. What’s more, third-party flaws tend to emerge continuously as new vulnerabilities are discovered by security researchers. This means, unless organisations keep their libraries up to date, applications will accumulate more and more risk as time passes, even if nothing has been added to the codebase.
Another major factor contributing to an organisation’s compounding debt is the increased use of generative AI to write code – a practice that will only increase over time, with Gartner predicting 75% of enterprise software engineers will use AI code assistants by 2028. Using AI is not a problem in and of itself; AI-generated code is not inherently less secure than human-generated code, but it’s also not more secure. The problem is an over-reliance on AI and the erroneous assumption that it will automatically produce properly functioning, flaw-free code.
Large Language Models used to generate code are often trained on insecure open-source projects and other publicly available code, meaning AI-generated code can be insecure. Failure to vet this code properly adds to an organisation’s security debt over time and may even accelerate security debt as AI helps developers code faster than ever.
It is also important to note that security debt is not solely the result of mismanagement, poor decisions, or failure to execute. Time and resource pressures mean developers and product managers must decide which flaws to fix and which to let lie.
Reducing the strain with AI innovation
Thankfully, innovation is slowly lifting the pressure on development teams. New technologies like AI, when implemented with appropriate safeguards, mean developers need not leave so many flaws unaddressed – or have their time and resources spread so thinly. AI has already fundamentally changed the paradigm of future business. Although it may seem counter intuitive based on the aforementioned risks, we are in an age where we need to consider fighting AI with AI.
Let’s consider the role that AI should play in both creating and safeguarding our software. AI can make the dream of accelerating code fixes a reality; however, it’s up to us to harness its power responsibly.
AI-driven tools, particularly those based on GPT models with supervised training on curated security-specific datasets, excel at cybersecurity tasks. These models can provide highly reliable flaw remediation suggestions, ensuring that vulnerabilities are addressed promptly and effectively. However, it is crucial that any tool handling source code, especially for security purposes, maintains the highest standards of data integrity and security.
Incorporating AI into the software development lifecycle not only enhances efficiency but also has the potential to fortify the security posture of applications. By identifying and addressing vulnerabilities early, development teams can deliver robust, secure software that meets the ever-evolving demands of the digital landscape.
AI-powered remediation: from detection to resolution
Being aware of a flaw is not the same as fixing it. That is why frequent code scans do not always correlate with less debt. Knowing is only half the battle; the other half is doing something about it.
Continuous scanning must come with continuous fixing, but even the biggest teams with ample resources typically do not fix all their flaws. The problem has grown beyond the ability of humans alone to manage it, so AI-powered tools are becoming necessary. Despite fears from many that it could be a threat to security, the truth is Artificial Intelligence is increasingly part of the solution to help developers fix more efficiently.
Leveraging AI, developers can shift security left in the development cycle, meaning they identify and fix vulnerabilities as they write code. This proactive approach allows organisations to detect and address potential security risks at an earlier stage, reducing the likelihood of costly and time-consuming issues later down the line.
Building a resilient future with AI
As technology evolves, the increasing integration and sophistication of AI presents a critical opportunity to address the spiralling issue of security debt. With 70% of organisations already grappling with backlogs and vulnerabilities continuing to escalate, AI offers developers the tools to identify and address flaws earlier, with the potential to turn the tide on security debt accumulation.
To tackle this escalating challenge, businesses must go beyond simply identifying vulnerabilities and focus on preventing them from the outset. By strategically integrating AI into the development process, organisations can lay the foundations for a robust and secure digital future while equipping developers with the tools to tackle security debt efficiently.
