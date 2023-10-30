Technical debt in software products typically results from unavailability of technology or unavailability of time.
Then there’s the times when it is “not fine.” This is when it subsequently results in a larger cost incurred by the customer. This cost takes many forms—sometimes it is only a performance cost, which is a monetary cost in and of itself in today’s cloud-first world.
Often, too, technical debt results in an inability to innovate. This is a bit more serious, and indirectly the customer pays once more. Sometimes, however, it results in downright security gaps. This is the worst kind of technical debt, and one that is often not realized.
The principal example that I have frequently stumbled upon in my career is the “Intermediary Certificate Authorities.” Let me explain how this cryptographic debt sneaks into an organization. One way to fight this is to perform “break and inspect” on network traffic. This requires the security inspector to sit in the middle, which means a proxy server must pretend to be the system you are trying to connect to. This impersonation requires a trust relationship, which is often done through certificate authorities that are internal to the enterprise. These are the Intermediary Certificate Authorities.
Another way in which cryptographic debt creeps in is in legacy software. Much enterprise software becomes legacy because it "just works," and the SSL and TLS encryption libraries are compiled directly into the software.
So how do organizations get ahead of the curve here? The remediation to weak, missing or outdated cryptography is not a single one-stop solution.