5 ways to pay your technical debt back

Technical debt accumulates if you don’t build security in throughout your development cycle. Here’s how to pay off old debt and stop creating new debt.

Benjamin Franklin once said there were only two things certain in life: death and taxes—unless you’re responsible for information security, of course. In that case, you can add a third: technical debt. However, instead of discussing the general concept of technical debt, let’s talk about:

  • Three areas where you incur technical debt
  • Five ways you can start paying it back

3 areas where you incur technical debt

  1. Application. If left unresolved, application debt, which resides in the software package, can lead to poor user experience, security vulnerabilities and costly maintenance.
  2. Infrastructure. Infrastructure debt resides in the operating environments. This debt can lead to compliance violations (HIPAA, PCI) and the inability to scale with customer demand or company growth.
  3. Architecture. This debt, which resides in the design of the entire system, can potentially cause superfluously complex systems. By connecting previously secure systems to new unsecure systems, flawed systems are created that cannot sustain innovation.

In the security context, technical debt has accumulated from years of developing software with little or no emphasis on building security into the process. Security is often seen as a technical burden that slows development. Because of this, teams often omit even the most basic security practices throughout the SDLC in order to make release dates. This is not a trivial problem. Some organizations have taken the drastic step of rewriting applications where the debt became so severe it could not be repaid.

5 ways to pay down your technical debt

Here are five things you can do to reduce the creation of new debt and even begin to pay off existing debt.

1. Make security a priority

Ignoring a problem doesn’t make it go away. Your organization needs to make a commitment to security. This means creating and empowering a software security group (SSG) that owns the integration of security into the development process.


2. Identify and consolidate your debt

If you only make minimum payments, you’ll never pay down your principal. To make a dent in your technical debt you need to determine what applications exist and what risks they pose. Once you’ve done this you can start prioritizing risks for remediation and begin paying down your debt.


3. Commit to secure design

Make a commitment to secure design and architecture. Skipping this step will create effective technical debt before you even write your first line of code.


4. Never stop learning

Developers must be educated in secure development practices. There is a reason why the same well-known vulnerabilities continue to show up in code and why applications are increasingly being compromised by well-known attack vectors.


5. Shift testing to the left

Organizations can’t wait until the end of the SDLC to start security. Waiting until the end negatively affects productivity and often results in detected vulnerabilities being ignored.


While death and taxes are unavoidable, we still take measures to avoid and prevent both. The same is true with technical debt. Understanding how technical debt is incurred allows your business to create a proactive strategy to be successful in the reduction of new debt creation and will allow you to pay back the technical debt you have already incurred.

Get the BSIMMsc white paper on supply chain security

Jim Ivers

Posted by

Jim Ivers

Jim Ivers

Jim Ivers is the senior director of marketing within Synopsys' Software Integrity Group where he leads all aspects of SIG's global marketing strategies, branding initiatives, and programs, as well as product management and product marketing. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Synopsys, Jim was the CMO at companies such as Cigital, Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.

More from Software Security Program