Financial debt, if left unchecked, can spiral out of control quickly. Simply making the minimum payments on a credit card or avoiding debt collectors doesn’t solve the root problem. Instead, interest continues to build, compounding the issue over time.
Similarly, in the world of IT management, a concept called “security debt” operates much the same way. Security debt refers to software flaws that remain unresolved for longer than a year. Much like financial debt, the longer these vulnerabilities go unaddressed, the more they accumulate, leaving businesses exposed to significant risk.
Research reveals 74% of organizations have some level of security debt, with half grappling with high-severity vulnerabilities – commonly referred to as ‘critical’ security debt. Despite these concerning statistics, organizations can take actionable steps to reduce their security debt.
EMEA Chief Technology Officer at Veracode.
Understanding the roots of security debt
To effectively reduce security debt, it’s important to first understand how it builds up. One major factor is a lack of prioritization, where organizations fail to focus on remediating the most critical vulnerabilities.
The age and size of applications also significantly contribute to security debt. Studies show a strong correlation between the age of an application and the likelihood that flaws will go unresolved. Nearly two fifths of all critical security debt are found in older applications (over 3.4 years old), meaning the older the application, the higher the chances of flaws accumulating.
Application size compounds the issue. As codebases grow, so does the volume of unresolved flaws. Large applications often carry the highest proportion of security debt, with 40% having unresolved flaws and 47% dealing with critical debt. While smaller or newer applications aren’t immune to security debt, older and larger monolithic systems typically present the greatest challenges.
Another contributing factor is the use of third-party, open source code. Vulnerabilities in third-party code are discovered on an ongoing basis, so unless these libraries are updated regularly, applications face an increasing risk. Additionally, the rise of generative AI in coding exacerbates the issue. Gartner predicts that by 2028, 75% of enterprise developers will use AI code assistants.
While AI-generated code isn’t inherently less secure than human-written code, it often carries risks. Many Large Language Models (LLMs) used to generate code are trained on insecure open-source projects, resulting in vulnerabilities if not properly vetted. An over-reliance on AI without proper oversight can accelerate the accumulation of security debt.
It’s also worth noting that security debt isn’t necessarily the result of poor decision-making or mismanagement. Time and resource constraints often force developers to make difficult choices about which flaws to address and which to defer.
Harnessing AI to combat security debt
Fortunately, advancements in AI tools provide development teams with powerful tools to reduce security debt. AI-driven solutions, particularly those trained on curated security datasets, excel at identifying and remediating vulnerabilities with high accuracy. These tools enable developers to address security risks more efficiently while ensuring data integrity and system security.
AI allows developers to “shift security left” in the software development lifecycle, identifying and resolving issues as they write code. This proactive approach minimizes the likelihood of costly vulnerabilities arising later in the development process, saving valuable time and resources. Additionally, by incorporating AI, organizations can better manage the growing volume of flaws, tackling both critical and less severe security debt.
Frequent code scanning remains essential, but without actionable remediation, it is not enough. AI bridges this gap by enabling continuous fixing alongside continuous scanning. By automating parts of the remediation process, AI helps teams overcome resource constraints and ensures that vulnerabilities are addressed before they become significant liabilities. Despite initial concerns about AI’s role in security, it is clear that using it responsibly is key to mitigating security debt effectively.
A future with AI
As AI continues to reshape the technological landscape, its impact on security is set to grow. With seven out of ten organizations already facing significant backlogs of security debt and vulnerabilities on the rise, development teams will need all the help they can get to stay ahead.
The future of software security will place greater emphasis on prevention. Rather than solely focusing on identifying and fixing flaws, the priority will be to prevent vulnerabilities from entering the codebase in the first place. AI has the potential to accelerate this shift by enabling scalable, secure fixes and supporting developers in tackling not only critical security debt but also the broader spectrum of unresolved flaws.
By working with AI responsibly and strategically, organizations can build a safer, more secure digital future while giving developers the tools they need to address security debt effectively.
We've featured the best Large Language Models (LLMs) for coding.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
