The False Economy of Security Debt

In today's interconnected digital landscape, our reliance on technology has exponentially increased. With that, so too has the importance of cyber security. The exponential rise in cyber threats and the constantly evolving methods of attack make cyber security not just an IT concern, but a paramount consideration for every individual and organisation. While some may perceive this as an IT challenge, it's actually an opportunity to transform the way we approach technology, building trust and security into every line of code and every digital interaction.

Those of us in Australia remember all too clearly the data breach of Optus, where numerous customers, in their scramble to secure a new driver's license, were left wondering "how this could happen?".

If you are a software developer, however, there is a good chance your immediate thought was not “how could this happen?”, but “thankfully it wasn't my team - this time”. We know it's a matter of when, not if. Security is usually the afterthought when writing software: it's the work that gets dropped when sales-driven deadlines rise up to derail roadmaps. Even if we care about it, it is never a top priority. It's the tech debt that gets accumulated to be resolved when we are less busy (re: never).  

Kaleida’s skills gap analysis of 2022-23 shows that application security is in the top 2 missing skills in the majority of teams: where software developer’s knowledge and practice of secure coding is “below level”.

‍

Kaleida's 2022-23 analysis shows application security is a top-2 skill gap: with many developers "below level" in secure coding.

‍

And yet, we know trading off security-debt is a false economy. The State of DevOps research demonstrates that teams who practice secure coding techniques are better able to protect customer’s data and respond quickly to attacks, and are faster at implementing changes for new regulatory requirements, such as GDPR. This is good for the top line, as it builds trust with customers and maintains the company's positive reputation. Dev teams that establish these security practices have reduced developer burnout, and deliver more market value, instead of sinking time into responding to inevitable security incidents. 
‍

What does ‘shifting left’ on security look like?

“Shifting Left” refers to moving security concerns earlier in your system development life cycle, instead of it being the final step when it is harder to change things. Implementing secure coding practices means dev teams are considering security from the design phase, right through to release and monitoring: no longer testing for vulnerabilities just before something is deployed to production, or worse, when reacting to an incident.

Where there is a security team, they are consulted on the architectural design before a line of code has been written, and help to test and approve third-party tools and libraries.

Teams include static analysis and other vulnerability detection in their development and CI/CD pipelines.

Everyone in the team is trained on handling Personal Identifiable Information (PII) and understands common security vulnerabilities.
‍

This does not have to be done to the detriment of delivering value: teams with the best security practices also tend to be those who deliver faster and more frequently as well. 

To find out more about how your secure coding practices stack up, talk to Kaleida.  

‍