This document discusses the concept of "security debt" in software development, which refers to known and unknown security issues that exist in software due to tradeoffs made between security and speed of delivery. It notes that all software accrues security debt over time. It discusses different types of security debt and factors that influence how much debt is acceptable. The document advocates treating security debt like technical debt by prioritizing issues, assigning repayment timelines, and continually working to reduce the debt load over time through secure development practices and prioritized fixes. The goal is managing risk from security debt issues rather than achieving zero debt.

1. Software Security Austerity
Security Debt in Modern Software Development
Ollie Whitehouse, Associate Director, NCC Group

2. Agenda
• Introduction
• Software Security Debt
• Debt Management
• Conclusions

3. Before we begin…
metaphor abuse warning!

4. … before we begin part 2…
there is a white paper available

5. Security debt

6. Technical debt
"Shipping first time code is like going into debt. A
little debt speeds development so long as it is
paid back promptly with a rewrite. The danger
occurs when the debt is not repaid. Every minute
spent on not-quite-right code counts as interest
on that debt."

7. Security debt…
• Present in all software
• Analogous to development and bugs
• security is just a type of bug
• Analogous to development and tech debt
• The trade off between
• fix everything and ship nothing
-versus-
• fix only the critical
-versus-
• real world business

8. Security debt…
• You get good…
• .. you get a new problem
• Too many vulnerabilities!
• You focus on just the
critical / serious
• … the low / medium
mountain grows

9. Security debt – types?
• Known – identified, but yet to be addressed
• Unknown – latent issues yet to be discovered

10. Security debt – source?
• Self
my development
• Supply chain
my outsourced development
• Dependency
COTS component use without formal support

11. Security debt and SDLs
• SDL does not mean 0 debt
• SDL means known security debt
• with a repayment plan
• No SDL means latent security debt
• with no repayment plan
• SDL means more bugs than resources
• quite quickly / in the short to medium term
• SDL means accelerated discovery
• you get too good

12. Security debt and SDLs
• Why accelerated discovery?
• requirements reviews
• static code analysis
• manual code analysis
• automated testing (fuzzing)
• increased awareness and knowledge
• root cause analysis and variations

13. Accruing debt based on risk
• Financial cost versus
• Revenue
• Cost of a response incident
• Brand impact
• Liability
• Time cost versus
• Resources
• Time to market
• Financial costs

14. Accruing debt based on risk
• Impact versus
• Discovery
• Mitigations
• Complexity and
prerequisite conditions
• Access requirements
• Marker expectation

15. Latent debt resilience
• Latent debt will always exist
• through own activities
• through suppliers
• through dependencies
• The need to feed upstream
• The need to build resilient software

16. Debt Management

17. Why we care
• Client expectation
• Regulatory requirements
• Increasing cost of debt
• Attacker capability evolution
• Increased external focus

18. Why we care

19. Why we care

20. Assigning interest rates to security debt
• Interest rate = Priority
• Priority = risk
• Risk = informed

21. Assigning interest rates to security debt
Threat = f (Motivation, Capability, Opportunity, Impact)

22. Assigning interest rates to security debt
DREAD

23. Assigning interest rates to security debt
CVSS

24. Assigning interest rates to security debt
• Impact
• Distribution
• Disclosure
• Likelihood of discovery
• Presence of mitigations
• Complexity of exploitation
• Access requirements
• Customer expectation

25. Repayment – New version requirements

26. Repayment – Severity prioritization
• Next release (any type)
• Next release (major version)
• Next release +1 (any type)
• Next release +2 (any type)
• Next release +3 (any type)

27. Repayment – Percentage reduction
Severity Percentage to be resolved
Critical 100%
Serious 50%
Moderate 30%
Low 20%
Other 0 to 5 %

28. Repayment – Forced

29. Debt Expiry

30. Debt Overhang
• Stuart Myers paper (1977)
‘Determinants of Corporate Borrowing’
• Debt mountain equals death by a thousand cuts
• Leading to inability to accrue more security debt
• Leading to slower innovation

31. Strategic Debt Restructuring

32. Bankruptcy

33. Non Repayment – Consequence Planning
"We may be at the point of diminishing returns by
trying to buy down vulnerability," the general
observed. Instead, he added, "maybe it’s time to
place more emphasis on coping with the
consequences of a successful attack, and trying to
develop networks that can "self-heal" or "self-limit“
the damages inflicted upon them. "

34. Conclusions
• Zero debt is not good business practice
• SDLs enable debt discovery and repayment
• A pure risk approach allows the mountain to grow
• Outsourcing carries risk of larger latent debt
• A mature model is to understand and plan payment
• … while educating upstream
• … while paying down the mountain
• … while still using risk

35. Thanks! Questions?
UK Offices North American Offices Australian Offices
Manchester - Head Office San Francisco Sydney
Cheltenham Atlanta
Edinburgh New York
Leatherhead Seattle
London
Thame
European Offices
Amsterdam - Netherlands Ollie Whitehouse
Munich – Germany
Zurich - Switzerland
ollie.whitehouse@nccgroup.com