Equifax and the High Price of Technical Debt
By now, everyone has heard about the security breach at Equifax. According to a recent article in The Atlantic, “Consumer data breaches have become so frequent … when Equifax revealed late Thursday that a breach exposed personal data, including social-security numbers, for 143 million Americans, public shock was diluted by resignation.”
Is this the new normal? Up to a point, yes. There will always be people trying to break into systems. Breaches will happen. But companies with an online presence cannot afford to be complacent. It’s our job in the IT industry to continually improve security and try to minimize this kind of event and the damage it can cause. So, why do these things keep happening?
The Danger of Technical Debt
There is a term we use in the industry to describe work that gets put off in order to get a project done faster: technical debt. In Agile development projects, it could be something like testing, or building a more robust system. We know we’re cutting corners, but we’re doing it to prioritize delivering the system. As you can imagine, technical debt can also accrue over the life of an application. As vulnerabilities are identified in frameworks and building block components of a solution, those items are added to the technical debt. Many times, this technical debt never actually gets “paid back” or completed. In most corporations, the vast technical debt waiting to be paid off represents one of their biggest overall security issues.
It appears the root issue at Equifax was an application built leveraging an old version of Struts, an open-source Java MVC framework. Struts had a known vulnerability that allowed a hacker to construct a malicious http request and remotely execute code on the server. This kind of breach often happens because application libraries were not up-to-date with the most recent releases of their components. We don’t know if this happened because of a limited security budget, or because moving a product or platform forward had a higher priority than revisiting and revising existing functionality to address vulnerabilities – i.e., not dealing with their technical debt.
Budget plays a key role here. If security is seen as a one-time safeguard, rather than an ongoing, proactive function in the development and maintenance of software, chances are it’s underfunded. (After all, if hackers are constantly inventing new ways to get in, security needs to be continually developing new and better ways to keep them out.) Companies that have not experienced a breach tend to underinvest in preventive security. Add to that the task of dealing with remediating the technical debt that accumulates over time, and companies can easily fall behind in providing real security. Leadership may think incremental increases every year means they are being aggressive and strongly supporting security, but if you started out underinvesting in security, incremental budget increases can still leave you woefully underfunded. It takes an honest look at the big picture to assess what needs to be done to attain real security.
Managing and Minimizing Technical Debt
So how should companies deal with security and the dangers of technical debt? Some key takeaways from the Equifax breach include:
- Recognize that security is a living, breathing force – and as such, must be continually monitored, strengthened, and maintained.
- Bake security in to your SDLC and product delivery processes. If you address security from the beginning as a first-class part of every project, you can design for security, test for security, write requirements for security, and ultimately deliver more secure applications.
- Keep an inventory of your applications to avoid surprises. And keep your libraries up to date.
- Don’t lose track of your technical debt. And pay it back. It represents your greatest vulnerability.
- Invest in security. Understand that it will only strengthen your organization and protect your reputation.
Due to the nature of their business, one would think Equifax would be highly focused on consumer security: there can be no doubt that Equifax had sensitive data that would be coveted by schemers. This was a very significant breach that may represent a surprising vulnerability. It is possible that Equifax will be held to a higher security standard than most companies. Regulators may impose fines and greater oversight, which will cause a ripple effect within the industry.
Bottom line, the Equifax breach and others like it should not be seen as the New Normal. Rather than give up, we in the industry should view it as a clear message that security cannot and should not be an afterthought. Maintaining strong security is an on-going and mission-critical necessity for everyone.