Get Out of Security Debt by Tackling the Exposure Problem
82% of organizations carry security debt, vulnerabilities over one year old. 11.3% of flaws are high-risk, combining critical severity with high exploitability. Remediation must focus on exposed, critical applications, not the entire backlog. Effective prioritization requires assessing exploitability and exposure, not just severity scores. Fix capacity is a primary constraint in modern application risk management.
Analysis
TL;DR
- 82% of organizations carry security debt, vulnerabilities over one year old.
- 11.3% of flaws are high-risk, combining critical severity with high exploitability.
- Remediation must focus on exposed, critical applications, not the entire backlog.
- Effective prioritization requires assessing exploitability and exposure, not just severity scores.
- Fix capacity is a primary constraint in modern application risk management.
Key Data
| Entity | Key Info | Data/Metrics |
|---|---|---|
| Organizations with Security Debt | Vulnerabilities open for over a year. | 82% |
| High-Risk Vulnerabilities | Highly critical flaws likely to be exploited. | 11.3% of total flaws |
| Prioritization Focus | Critical applications tied to revenue, sensitive data, external access. | "Crown jewels" |
Deep Analysis
The cybersecurity industry has a dangerous fixation on metrics that feel productive but are functionally meaningless. Counting vulnerabilities and tracking backlog reduction is a ceremonial activity, a ritual of due diligence that gives executives a false sense of control. Chris Wysopal cuts through this theater with a blunt instrument: 82% of you are carrying "security debt"—flaws over a year old—and your real problem isn't the size of the pile, but your failure to measure its actual exposure. The core argument is a necessary and overdue slap to conventional wisdom: you're measuring activity, not risk.
This isn't just a shift in tooling; it's a fundamental philosophical failure in how organizations operationalize security. The standard CVSS severity score, while technically useful, has become a crutch and a misdirection. Attackers aren't running down a ranked list of severity scores like a grocery list. They are opportunists, scanning for the path of least resistance: a medium-severity flaw in a publicly facing API is a golden ticket, while a critical vulnerability buried deep in an internal, air-gapped system might be a rounding error. The data showing 11.3% of flaws inhabiting the high-risk zone (critical + exploitable) is telling, but the more revealing insight is that teams, especially developers, won't naturally prioritize this way. This exposes a rift between security policy and engineering reality.
The call to focus on "crown jewel" applications is pragmatic, but it's also a tacit admission of resource surrender. It says that perfect coverage is a fantasy, and the only rational strategy is triage. This is where the piece becomes deeply practical and slightly uncomfortable. It forces a conversation not about what's "secure," but about what's "secure enough" for the things that pay the bills. This risk-acceptance mindset is mature, yet many organizations are culturally ill-equipped for it. They remain locked in a compliance-driven model where every checkbox has equal weight.
The mention of fix capacity as a core constraint is the article's most underappreciated point. It shifts the entire discussion from a security problem to an engineering and business operations problem. You don't just need more scanners or better prioritization dashboards; you need dedicated, funded capacity—likely integrated into developer workflows—to remediate the risk you've identified. Without this, prioritized lists are just anxiety-producing artifacts. The unspoken consequence is a radical reallocation of engineering time, potentially away from feature development and toward debt reduction, a trade-off most product managers will resist. The article doesn't solve this, but it correctly identifies it as the central battlefield. The real crisis isn't in the backlog; it's in the boardroom's willingness to fund the industrial-scale waste disposal that modern software inherently requires.
Industry Insights
- Security metrics will pivot from "number of vulnerabilities found" to "mean-time-to-remediation for high-risk exposures," forcing alignment with business impact.
- Exploitability prediction, using threat intelligence and code context, will become a default feature in DevSecOps pipelines, superseding pure severity scoring.
- Dedicated "risk remediation" capacity will be formally budgeted as a cost of doing business, similar to SRE teams, breaking the feature-development monopoly on engineering resources.
FAQ
Q: How should we measure progress if not by backlog size?
A: Measure mean-time-to-remediate for vulnerabilities in your critical applications, and track the percentage of your "crown jewel" systems with unresolved high-risk flaws.
Q: Won't focusing only on critical applications leave us exposed elsewhere?
A: Yes, but it's a strategic acceptance of risk. It ensures your limited resources protect what matters most, providing a higher return on security investment than spreading effort thin.
Q: How do we get developers to prioritize exploitability over severity?
A: Integrate exploitability data directly into their existing ticketing and issue-tracking systems, and make security SLAs for high-risk flaws a formal part of their sprint goals.
Disclaimer: The above content is generated by AI and is for reference only.