Skip to main content
May 4, 2015

Product Releases, Technical Debt and AppSec Are Not Mutually Exclusive

Product Releases, Technical Debt and AppSec Are Not Mutually ExclusiveThere's a troubling trend forming in hardware development cycles: New hardware products (particularly mobile devices) are coming out so fast that software developers can't keep pace. With every new iteration, the hundreds of thousands of perfectly functioning devices already in use become a little less relevant, and a little more neglected by their manufacturers. Amid all this madness, you can practically feel the technical debt accumulating.

This attitude towards the hardware-software conundrum has the potential to be disastrous for private and commercial customers who depend on their devices — to say nothing of the application developers who are forced to develop new versions and push patches to older ones at a dizzying rate. What can be done to mitigate this problem?

All That Glitters

With every dazzling new display and next-generation haptic feedback strategy comes a mountain of headaches for everyone in the software world. Operating system developers and application developers alike are pressured to create new versions of their products that utilize the newest hardware's capabilities to its fullest. But with every new version comes the realization that its predecessor is no longer new, which means the one before that is a generation older, and so on. At the current rate of product rollout, it's likely the majority of any enterprise's fleet is at least one generation old, even enterprises with generous tech budgets.

Apparently with aging devices comes more insecurity. With the recent admission by a Google rep that they will not be fixing a security flaw in older versions of Android, this isn't just conjecture — it's a staggering reality. It is likely correct to assume Google is not alone in this practice. If a major tech company can't keep all reasonably recent iterations protected, then there's no reason to assume smaller vendors can, either.

Build It Right the First Time?

Not only do firms have to wonder if the machines they seemingly installed last week are being protected with the latest updates as vulnerabilities are discovered, but now, more than ever, there's a concern that software wasn't developed and tested as thoroughly as it should have been. The pressure to keep pace with hardware means security testing is compressed at best — or, at worst, that it's been thoroughly trimmed and neglected.

Some flaws can only be exposed through dutiful pen testing and chugging away at code review, but these are time-consuming steps, and it's tempting to skip them when the source code from the old generation was recently deemed good to go. In this dystopic consumer landscape of too many updates, what's a security-minded enterprise to do?

Break It Yourself

Given the increasing uncertainty surrounding updates and original design and testing, it's important that your security solution has the ability to do its own testing. Reviewing source code and crowdsourcing data on exposed vulnerabilities are both essential ways to remain aware of problems and find them before malicious hackers do. As the bring-your-own-device trend grows, having the ability to maintain a secure network regardless of the devices and apps brought on is just as important as native security within a network.

Once employees' mobile devices and laptops hook into a business network, the list of potential problems grows substantially. Inventories get larger, and the OS versions and applications with access become overwhelming. Off-load that headache to a software solution that keeps inventory for you. Having insight into where vulnerabilities exist allows your company to be smarter about resource allocation, only updating hardware and software with critical flaws. Unless you're fully protected against chinks in the armor of old phones, you're only as strong as the most vulnerable phone in your fleet.

Technical Debt Bubble

When it comes to technical debt, you can't simply shred banknotes and hope it goes away. Enterprises roll out applications all the time, and they can't afford to simply scrap them because manufacturers neglect those versions when the new model comes out. Comprehensive security programs face a bigger burden now than ever before; after all, if even one employee has a version of a phone that's no longer receiving the largest update package from its manufacturer and OS, then there are vulnerabilities accruing while the rest of the (tech) world spins madly on.

It's not reasonable for a company to buy every intern and entry-level employee a brand new phone, but it'd be even less reasonable for sensitive data to get hacked because of something as simple as an out-of-date phone. When considering the value proposition of a comprehensive security solution, don't ignore the way it eliminates the need to replace hardware at a seemingly obnoxious frequency.

Always Pay Your Bills on Time

Remember that old aphorism mom had about never getting behind on credit card bills? It's eerily apropos when it comes to application security. Regardless of an individual manufacturer's decisions to support or drop individual products, a great software security solution will remain vigilant against all attacks by vetting every new piece of software joining the network, keeping inventory of it and remaining apprised of any vulnerabilities it may have.

Technical debt is tough for developers, and there are many best practices for avoiding it — even in the face of the explosively popular Agile development framework. Getting updates and new goodies frequently can be great for those who love shiny interfaces and the joy of new functionality appearing with every other reboot. But the pressure on developers to keep pace with hardware means avoiding all technical debt is a very sore subject.

No Credit, No Problem

The situation is also grim for those who are charged with protecting networks that rely on intricate webs of software and hardware. Rather than getting discouraged by the breakneck pace of release parties (which really only please the guys who get to blog about new toys all day), remain vigilant in your efforts to keep security solutions updated. Great security solutions look at debt and say, "No problem!" But they wear a lot less hair gel than those used-car salesmen who say the same thing.


Related Content

John is a B2B and SaaS expert who likes to explain complex concepts using cute animals and cocktail napkins. He believes that content marketing is the future and sometimes ghost writes, but he can never prove it.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.