Technical debt can have cybersecurity consequences. Even teams that feel they know exactly what needs fixing are often surprised at what a team of outside hackers can do – as they so often are during a breach.
So how can you determine what’s emergency-worthy technical debt? Your backlog might not show it, but your pen test will.
Technical Debt as Attack Surface
It’s difficult, if not impossible, to find a SOC that’s perfectly run in any organization. Digitization has hit industries hard, with most SOCs struggling to keep up with ever-evolving threats; we have RaaS, social engineering, and AI to thank for that. It can be easy to fall behind on remediation, patch management, and reporting.
Legacy code, outdated systems, and insecure design patterns become easy targets for attackers. Pen testing can bring those problems to the surface and help companies identify which of those pain points are most worth going after, and in what order.
Pen testers actively exploit these weaknesses, which often come about as the result of limited resources; SOCs are constantly triaging. In the process of putting out fires, some things inevitably get left behind. These things are easy to miss on the first pass, and human error is still a significant problem; the Verizon 2025 DBIR notes that the human element still accounts for 60% of breaches.
Technical debt—i.e., backlogged fixes and legacy systems—directly expands your attack surface and eventually comes to call. And yet many incur technical debt due only to a lack of resources, not a lack of desire to address the problem. Pen testing helps organizations build a business case for replacing old systems and prioritizing patches, contrasting the investment with the potential cost of letting those risks go exploited. When the average cost of a data breach hovers around $4.4 million, the price of doing nothing is too high.
Shadow Systems & Forgotten Infrastructure
At this point, we’ve established that pen testing teams frequently uncover untracked assets (e.g. old servers, hidden endpoints) that stem from unmanaged technical debt. Let’s dive into more of these scenarios, specifically.
Shadow IT is most likely to grow in cultures that prioritize speed and autonomy over textbook processes. In today’s fast-paced world, that could be most companies in operation. And this is especially true when it comes to SaaS.
The fact that SaaS tools are so easy to come by—think low-friction subscriptions, out-of-sight monthly billing, and easy in-browser apps—makes forgetting (or undervaluing) the security of these all the easier. Most users only see the potential benefits; what they miss is the risk associated with each new user, password, entry point, and unmanaged third-party database.
As individual teams move forward using whatever technology they see fit, they can inadvertently create piles of shadow systems and forgotten infrastructure before IT has a chance to find out. These old, outdated, and forgotten services expand your attack surface in hidden ways. Because no one has eyes on the problem, it is exponentially more dangerous than if it were on your backlog for remediation.
Creating a security-first culture can help offset this, and following up with regular continuous penetration tests can make sure no one is leaving anything out. Performing regular offensive security tests arms teams against the unexpected and ensures that they understand the true security stature of their enterprise.
Broken Trust Boundaries
In addition, flat networks, overprivileged accounts, and poorly segmented systems reflect deeper structural debt.
Flat networks are cheap to set up and bypass a lot of security intermediaries (VLANs) that would otherwise introduce more hardware and complexity into the mix. Foregoing proper internal segmentation can be a quick and easy way to get by if you’re a newly digitized company, lacking security experience, short on time, or just working off legacy behaviors. However, the fact that it introduces a “keys to the kingdom” aspect for intruders can’t be denied.
Excessive permissions are another “unforced error” that frequently lands companies in security hot water. As noted in a U.S. Department of Health and Human Services publication, “up to 80% of breaches result from stolen passwords,” and “stolen account credentials are hackers’ most preferred method for privilege exploitation.” Penetration tests are designed to ferret out more than just vulnerabilities and forgotten services; finding overprivileged accounts is part of the job, too.
Code-Level Shortcuts
Vulnerabilities often are the result of scripting level errors: rushed coding, copy-paste fixes, or ignoring security best practices are all forms of tech debt.
For many, those coding mistakes come from far upstream. Dependence on software supply chains is nearly ubiquitous in today’s fast-paced economy, which is why it is frightening to realize that “86% of codebases had open source software vulnerabilities while 81% had high- or critical-risk vulnerabilities.”
Application security testing is a critical component of any major penetration testing operation, or should be, and can bring these errors to light.
Recommendations for Future Pen Testing
To get the best, big-picture security view of their organizations, security teams should map recurring pen test findings to systemic debt. Fixing vulnerabilities alone will only hack at the branches; instead, pen test pain points should be analyzed to find the source of the problems.
Infrastructures are always going to have vulnerabilities and patches are a natural part of any system lifecycle. The trick is to make mitigating them a priority. Leadership needs to be aware of which vulnerabilities present the biggest problem at any given time, and ongoing pen testing is the best way to find that out. Without testing for weaknesses like attackers do, security teams will always be a step behind.
Conclusion
Pen tests aren’t about breaking things — they’re about showing where things are already broken beneath the surface. Adversaries have enough advantages; don’t give them the element of surprise, too.
By subjecting their systems to regular and repeated penetrations tests, organizations ensure that all cards are on the table, and SOCs are informed of the full range of potential threats. Chances are that threat actors already know it. And it is exactly in these forgotten places that they like to hide.
Read to pull the cover off hidden liabilities within your tech stack?
Request a demo of Fortra’s Core Impact and begin your pen testing journey today.