Deadlines to enter the Global Software Testing Awards are as below:

Asia Pacific: 19 Aug | Europe: 09 Oct | North America: 21 Oct Enter Today

Author: John Smith, EMEA Chief Technology Officer at Veracode

Unresolved security flaws are an open invitation for cyberattacks that businesses can no longer ignore. The accumulation of these vulnerabilities, resulting in what’s known as ‘security debt’, can spiral into a losing battle for organisations. The longer these issues persist, the harder they become to fix and easier to exploit. 

Many organisations are struggling with security debt, with research showing that nearly three-quarters have unresolved flaws. Worryingly, almost half of these involve flaws considered critical – those that are high-risk, often easy to exploit and could lead directly to cyber-attacks. The risk is clear, but there is a way forward – by taking strategic action, businesses can take control of their security debt and prevent it from escalating into a serious threat.  

Understanding the root causes of accumulating security debt 

Before we delve into how to reduce security debt, it is important to reflect on how we got here. The main reason behind mounting security debt is that organisations are not prioritising well enough and therefore are not focusing on fixing the flaws that pose the greatest risk: the critical ones.  

Application age and size play a significant role in the accumulation of security debt. We have repeatedly observed a recent bias in the way developers fix security flaws: the more time that passes from a flaw appearing, the lower the chance it will ever be fixed. Recent research found nearly two-fifths of all critical security debt is found in older applications (over 3.4 years old), meaning the older the app, the higher the debt accumulation. 

Application size is also key. As the codebase of most applications grows over time, it is only logical that there is a correlation between age and the accumulation of older, unremediated flaws. Large applications, therefore, have the highest proportion of security debt, with 40% having unresolved flaws and 47% dealing with critical debt. And while it is not always the youngest and smallest apps that have the least debt, older monolithic applications present a greater challenge.  

Another major factor contributing to an organisation’s compounding debt is the increased use of generative AI to write code – a practice that will only increase over time, with Gartner predicting 75% of enterprise software engineers will use AI code assistants by 2028. While AI-generated code is not inherently less secure than human-generated code, there is an over-reliance on AI and the erroneous assumption that it will automatically produce properly functioning, flaw-free code. The reality is that the Large Language Models used to generate code are often trained on insecure open-source projects and other publicly available code, meaning AI-generated code can be insecure as well. Failure to vet this code properly adds to an organisation’s security debt over time and may even accelerate it, as AI helps developers code faster than ever. 

Optimising developer efficiency with smarter AI solutions 

Thankfully, innovation is slowly lifting the pressure on development teams. New technologies like AI, when implemented with appropriate safeguards, mean developers need not leave so many flaws unaddressed – or have their time and resources spread so thinly. AI has already fundamentally changed the paradigm of future business. Although it may seem counterintuitive based on the aforementioned risks, we are in an age where we need to consider fighting AI with AI.  

AI-driven tools, particularly those based on GPT models with supervised training on curated security-specific datasets, excel at cybersecurity tasks. These models can provide highly reliable flaw remediation suggestions, ensuring that vulnerabilities are addressed promptly and effectively. However, it is crucial that any tool handling source code, especially for security purposes, maintains the highest standards of data integrity and security. 

Incorporating AI into the software development lifecycle not only enhances efficiency but also has the potential to fortify the security posture of applications. By identifying and addressing vulnerabilities early, development teams can deliver robust, secure software that meets the ever-evolving demands of the digital landscape. 

Harnessing AI into the future: strategising to stay ahead  

With 70% of organisations struggling with backlog issues and accumulating vulnerabilities, it’s clear that traditional security management methods are no longer enough. To stay ahead of spiralling security debt, organisations must adopt a proactive mindset, preventing flaws before they emerge.  

Frequent code scanning, while essential, is only half of the battle – awareness alone does not reduce security debt. Continuous scanning must be accompanied by continuous fixing – this is where AI-powered remediation becomes a necessity, to help under-resourced teams.  

Despite fears it could become a threat to security, AI is increasingly proving to be part of the solution. By embedding AI into the development process, teams can identify and fix vulnerabilities in real time. This can enable organisations to address security risks at an earlier stage, reducing the need for costly remediation later. Taking this proactive, AI-driven approach not only reduces existing security debt but also strengthens overall resilience, ensuring organisations are prepared to tackle the increasingly complex digital future. 

For media enquiries, please get in touch with vaishnavi.nashte@testassociates.co.uk