A technical debt compendium¶
Or, everything you need to understand why most infrastructure is one Windows XP machine away from catastrophe
This page collects resources for understanding technical security debt.
The scale of the problem¶
Technical Debt Stifling Path to AI Adoption for Global Enterprises, Pegasystems, June 2025. A survey of over 500 IT decision-makers across five countries found that global enterprises waste $370 million per year due to inability to efficiently modernise legacy systems. 68 percent of respondents say legacy systems prevent their organisation from embracing modern technologies, 48 percent cannot discontinue legacy applications despite wanting to because they remain business-critical, and 57 percent acknowledge that legacy reliance is likely causing customer defection.
2025 Legacy Code Stats: Costs, Risks and Modernisation, Pragmatic Coders, September 2025. Aggregates headline figures from GAO, McKinsey, and IT-CISQ: accumulated US technical debt stands at $1.52 trillion, 70 percent of software in Fortune 500 companies is over 20 years old, and 80 percent of federal IT budgets go toward operating and maintaining existing systems rather than new development. 70 percent of banks globally rely on legacy systems and 95 percent of ATM transactions worldwide still run on COBOL-based infrastructure.
Technical Debt Remains a Major Burden, Protiviti, 2023. A global survey of more than 1,000 CIOs, CTOs, and technology executives found that organisations spend an average of 30 percent of IT budgets on technical debt management, and nearly 70 percent view technical debt as having a high impact on their ability to innovate. UK organisations dedicate 38 percent of IT budgets to controlling technical debt, the highest nationally, while transportation and logistics firms spend 39 percent.
2025 Cost of a Data Breach Report, IBM, August 2025. The global average cost of a data breach reached $4.44 million in 2025, with US companies facing $10.22 million per incident. Breaches involving legacy systems and unpatched vulnerabilities consistently exceeded the average. Organisations using AI and automation in security operations saved an average of $2.22 million per breach compared to those that did not, though legacy environments frequently lack the integration points required to deploy these tools.
Government and critical infrastructure¶
Information Technology: Agencies Need to Plan for Modernising Critical Decades-Old Legacy Systems, US Government Accountability Office, July 2025. The federal government spends over $100 billion annually on IT, with approximately 80 percent going toward operating and maintaining existing systems rather than modernisation. Of 69 legacy systems evaluated across 24 major agencies, 11 were identified as most critical; 8 of those 11 use outdated programming languages, 4 have unsupported hardware or software, and 7 operate with documented cybersecurity vulnerabilities. Of the 10 critical systems identified in a 2019 review, only 3 have been fully modernised as of February 2025, with one still lacking any planned completion date.
CISA Known Exploited Vulnerabilities Catalog, CISA, continuously updated. The KEV catalog grew by nearly 20 percent during 2025, from 1,239 vulnerabilities to 1,484 by year-end. Research by the Qualys Threat Research Unit found that 20 percent of federal agency assets contain high-risk end-of-support software, and 48 percent of vulnerabilities on the KEV list are found specifically in end-of-support software, which are four times more likely to be weaponised. The direct line between legacy system maintenance failures and active exploitation is not theoretical.
Cybersecurity Performance Goals 2.0 for Critical Infrastructure, CISA, December 2025. Updated cross-sector performance goals aligned with NIST Cybersecurity Framework 2.0, introducing new goals explicitly addressing third-party provider risks, zero-trust principles to mitigate lateral movement, and compensating controls for assets where patching is not feasible. The last category exists specifically because the assumption that legacy systems can be patched has been acknowledged as false in too many environments to ignore.
Agencies Need to Continue Addressing Critical Legacy Systems, Mlogica, 2025. The IRS still relies on applications over 60 years old written in COBOL and Assembler. These create significant security risks, slow operations, and require specialised personnel with decades-old programming knowledge that is an increasingly scarce skill set. The Department of Transportation and OPM face similar challenges, though the IRS example remains the most frequently cited because the numbers running through those systems are large enough to concentrate minds.
Identity and access management debt¶
IAM Tech Debt: Balancing Modernisation and Legacy Identity Infrastructure, Security Boulevard, December 2024. According to Gartner, IAM technical debt impacts quality, delivery timelines, and budgets of IAM teams. Companies often prioritise new features over fixing legacy identity controls, resulting in security vulnerabilities and unmet IAM objectives. Legacy companies, particularly in banking and manufacturing, have layered multiple identity solutions over years without full integration, resulting in fragmented environments where no single team has complete visibility.
Beyond IAM Silos: Why the Identity Security Fabric is Essential for Securing AI and Non-Human Identities, The Hacker News, November 2025. Non-human identities — service accounts, API keys, and AI agents — now outnumber human identities by 50 to 1 in modern enterprises, yet legacy IAM systems were designed around human users and cannot govern this scale. 80 percent of security breaches involve compromised credentials. Gartner estimates that 85 percent of new attacks could be prevented by 2027 through identity fabric immunity principles, a goal that requires replacing the siloed architectures most organisations still rely on.
Orca Security 2025 State of Cloud Security Report, Orca Security, December 2025. 93 percent of organisations have at least one overprivileged service account, and 78 percent have IAM roles unused for over 90 days — stale credentials that persist because legacy access management processes lack automated lifecycle governance. 85 percent of organisations have plaintext secrets in source code repositories, of which 14 percent remain valid and exploitable. Attackers can find an exposed secret in under two minutes, while organisations take an average of 94 days to remediate.
Cloud misconfiguration: the epidemic nobody seems to want to discuss¶
Resources examining how cloud adoption created a new category of technical debt through misconfiguration and complexity.
The misconfiguration crisis¶
Tenable Cloud Security Risk Report 2025, Tenable, June 2025. Analysis of real-world cloud environments identifies the toxic cloud trilogy — workloads that are simultaneously publicly exposed, critically vulnerable, and highly privileged — as present in 29 percent of organisations. 54 percent of organisations using AWS ECS have at least one task definition with an embedded secret, and 9 percent of publicly accessible cloud storage contains sensitive data directly exposed to the internet. The report frames these as compounding security debt created by rapid cloud adoption outpacing security governance maturity.
Wiz Cloud Data Security Snapshot 2025, Wiz, May 2025. Analysis of hundreds of thousands of real-world cloud accounts found that 54 percent of cloud environments have exposed virtual machines and serverless instances containing sensitive information including PII or payment data, and 72 percent have publicly exposed PaaS databases lacking access controls. 12 percent of cloud environments have containers that are both publicly exposed and exploitable via known vulnerabilities. These are not edge cases.
2025 Verizon Data Breach Investigations Report, Verizon, April 2025. Analysis of over 22,000 security incidents and 12,000 confirmed breaches found that exploitation of vulnerabilities surged 34 percent, with edge devices and VPNs running legacy or unpatched software now representing 22 percent of vulnerability exploitation targets, up from 3 percent the year before. Third-party-involved breaches doubled to 30 percent of all breaches. Ransomware is present in 44 percent of all breaches, while stolen credentials and exploited vulnerabilities remain the two dominant initial access vectors.
Cloud Misconfigurations: Still the Biggest Threat?, RSA Conference, 2025. SentinelOne found almost 23 percent of cloud security incidents stem from misconfigurations. Cloud Security Alliance’s Top Threats report listed misconfiguration and inadequate change control as the number one cloud threat, above even zero-day attacks. Clouds are large, dynamic, and easy to deploy, which means they are prone to human error, and lack of visibility or expertise means settings get overlooked until someone else finds them.
Major breach case studies¶
Case Study: Inadequate Configuration and Change Control, Cloud Security Alliance, June 2025. The 2024 Football Australia breach resulted from developers misconfiguring AWS S3 buckets. Misconfigured S3 buckets are a leading cause of cloud data leaks. Publicly available IoT search tools such as Shodan, BinaryEdge, and Grayhat Warfare make it relatively straightforward to find unprotected data repositories, which means the question is not whether someone will look but when.
Detecting and Remediating Misconfigurations in Cloud Environments, Cyber Security News, May 2025. Misconfigurations account for 23 percent of cloud security incidents and 81 percent of cloud-related breaches. The Capital One breach exposed 100 million records due to a misconfigured firewall. Cloud Security Alliance research found 82 percent of enterprises have experienced security incidents from misconfigurations. With misconfiguration-related breaches projected to cost enterprises $5 trillion annually by 2026, the problem has moved well past the point where it can be described as emerging.
Software supply chain: dependency hell and cascading failures¶
Resources examining vulnerabilities in software dependencies and supply chain attacks.
The supply chain crisis¶
2026 State of the Software Supply Chain, Sonatype, January 2026. Open source malware grew 75 percent year-on-year to 1.233 million malicious packages tracked since 2019, with 454,648 new malicious packages discovered in the past year alone. Annual open source downloads reached 9.8 trillion across the four largest registries, a 67 percent year-on-year increase — the attack surface is expanding at the same pace as consumption. Despite patches available for years, Log4Shell was still downloaded 42 million times in 2025. 65 percent of open source CVEs lack an NVD-assigned CVSS score, with 46 percent of those unscored CVEs being High or Critical when scored independently.
Black Duck 2026 Open Source Security and Risk Analysis, Black Duck, February 2026. Analysis of 947 codebases across 17 industries found that mean vulnerabilities per codebase jumped 107 percent in a single year, driven partly by AI-accelerated code generation introducing components without adequate security review. Open source appears in 98 percent of all audited codebases; two-thirds contain licence conflicts. 65 percent of surveyed organisations experienced a software supply chain attack in the past year, and only 24 percent perform comprehensive security evaluations of AI-generated code.
Open Source Attacks Move Through Normal Development Workflows, Help Net Security, February 2026. Analysis of 2025 supply chain attack patterns found that npm remained the dominant delivery channel for open source malware, with attackers compromising maintainer accounts to publish tainted updates that automated dependency tools then pulled into downstream projects. The Shai-hulud self-replicating worm demonstrated registry-native malware capable of injecting malicious code into hundreds of packages and exposing tens of thousands of downstream repositories. The bulk of secrets exposure traced to numerous smaller services rather than major providers, reflecting routine embedded-credential practices throughout the ecosystem.
Software Supply Chain Attacks Surge, Industrial Cyber, November 2025. Supply chain attacks set a new record in October 2025, more than 30 percent higher than the previous peak. Since April 2025 attacks stayed at elevated levels, averaging more than 28 per month, more than twice the 13 monthly attacks seen between early 2024 and March 2025. IT was the most targeted sector with nearly 120 attacks. The industrial sector’s exposure increased substantially as operational technology networks became more integrated with IT supply chains.
State of open source dependencies¶
The 2025 Software Supply Chain Security Report, ReversingLabs, 2025. In February 2025 NIST announced it would cease enriching CVEs, removing critical information including severity scores, patching statuses, and vulnerability descriptions from AppSec teams at exactly the moment supply chain attack volumes were rising. This coincides with a breakdown in CVE reporting driven by increased volume and insufficient staffing and funding for the National Vulnerability Database. The infrastructure for tracking software vulnerabilities is itself carrying debt.
Why You Cannot Afford to Ignore Software Supply Chain Attacks, Ivanti, May 2025. Just one in three organisations feel prepared to protect themselves from software supply chain threats. 75 percent of all software supply chains reported attacks in 2024. The average organisation uses 112 SaaS applications, and each software application has 150 dependencies, 90 percent of which are indirect dependencies accounting for the vast majority of vulnerabilities. The surface area is not under control.
OWASP Top 10:2025 — A03 Software Supply Chain Failures, OWASP, 2025. Top-ranked in the Top 10 community survey with exactly 50 percent of respondents ranking it number one. Since appearing in the 2013 Top 10 as “Using Components with Known Vulnerabilities,” the risk has grown in scope to include all supply chain failures. This category has the highest average incidence rate at 5.19 percent when tested. The progression from obscure dependency risk to the single most-voted concern in a decade represents a shift in how the industry understands where the actual exposure lives.
The systems are fragile. The infrastructure is aging. A lot of configurations are wrong.
Technical debt is not a temporary problem that organisations will eventually fix. It is a structural feature of how systems are built, maintained, and evolved. Quick decisions create long-term consequences. Deferred maintenance compounds exponentially. Legacy systems persist because replacing them is harder than keeping them alive. Cloud adoption creates new categories of misconfiguration faster than security teams can address old ones. Software dependencies multiply vulnerabilities whilst appearing to simplify development.