A technical debt compendium¶
Or, everything you need to understand why most infrastructure is one Windows XP machine away from catastrophe
This page collects resources for understanding technical security debt.
The scale of the problem¶
The Hidden Cost of Technical Debt: How Legacy Code Creates Security Blindspots, Security Journey, November 2024. Comprehensive examination of how legacy code creates security vulnerabilities. Points out that legacy systems are like old houses: functional on the surface but harbouring hidden problems. Discusses outdated dependencies, poor documentation, and unknown unknowns that make legacy systems security nightmares.
What are the hidden costs of maintaining legacy systems?, RecordPoint, August 2025. According to Gartner, by 2025 companies will spend 40 percent of their IT budgets on maintaining technical debt. Notes that in 2019, the U.S. Federal government spent 80 percent of IT budget on operations and maintenance of aging legacy systems. Discusses the Microsoft Midnight Blizzard attack where upper management fell victim to a legacy system vulnerability, proving even sophisticated tech companies aren’t immune.
Managing Technical Debt in 2025: Strategies for Legacy Systems and Cloud Readiness, IT Convergence, October 2025. Sources predict that by 2027, 75 percent of organisations will face systemic failures due to unmanaged technical debt. IDC’s 2025 research shows 47 percent of IT leaders cite technical debt as major contributor to overspending on cloud and digital infrastructure. Gartner notes around 40 percent of infrastructure systems across asset classes already carry significant technical debt burden.
2025 Legacy Code Stats: Costs, Risks & Modernization, Pragmatic Coders, September 2025. U.S. poor software quality cost reached 2.41 trillion dollars in 2022, with accumulated technical debt at 1.52 trillion dollars. 70 percent of banks globally still rely on legacy systems as of 2025. Over 43 percent of global banking systems continue to utilise COBOL, a programming language developed in the late 1950s. 95 percent of ATM swipes processed using COBOL-based systems with 220 billion lines of COBOL code still in operation.
The Hidden Costs and Risks of Legacy Systems, Morphis Tech, June 2025. In 2024, Microsoft suffered a breach when state-sponsored hackers found a forgotten legacy system and test account. By 2025, 40 percent of IT budgets will go to maintaining technical debt according to Gartner, with application costs alone making up to 80 percent of that spend. That’s money that could fuel innovation instead keeping outdated tech on life support.
Government and critical infrastructure¶
Your critical infrastructure is running out of time, Help Net Security, November 2025. Cisco report shows nearly half of global business network assets were already ageing or obsolete as of 2020. In the United Kingdom, 228 legacy systems were identified across government in 2024, with over one in four carrying high likelihood of operational or security failure. U.S. government spent 100 billion dollars on IT and cybersecurity in 2023, with 80 billion dollars going toward operating and maintaining existing systems including legacy environments. Large companies lose 9,000 dollars for every minute of system outages, with 56 percent of downtime stemming from cybersecurity incidents.
Agencies Need to Continue Addressing Critical Legacy Systems, Mlogica, 2025. IRS still relies on applications over 60 years old written in antiquated programming languages like COBOL and Assembler. These legacy systems create significant security risks, slow operations, and make implementing policy changes difficult. Moreover, many require specialised personnel with decades-old programming knowledge, an increasingly scarce skill set. Department of Transportation and OPM operate legacy systems facing similar challenges.
Addressing Technical Debt: A Growing Necessity for Federal Agencies, AFCEA International, 2025. April 2025 Subcommittee hearing found approximately 80 percent of federal government’s 100 billion dollar IT and cybersecurity budget goes toward operating and maintaining systems including outdated, obsolete legacy systems. Wall Street Journal noted technical debt costs United States 2.41 trillion dollars yearly. Qualys Threat Research Unit found 20 percent of federal agency assets contain high-risk end-of-support software. 48 percent of vulnerabilities on CISA’s Known Exploited Vulnerabilities list are found in end-of-support software, which are four times more likely to be weaponised by attackers.
Identity and access management debt¶
IAM tech debt: Balancing modernization and legacy identity infrastructure, Security Boulevard, December 2024. According to Gartner, IAM technical debt impacts quality, delivery timelines, and budgets of IAM teams. Companies often prioritise new features over fixing legacy identity controls, resulting in significant security vulnerabilities, unmet IAM objectives, and dissatisfied stakeholders. Many early identity systems relied on simple username and password databases with credentials stored inside individual applications. Legacy companies, especially in banking or manufacturing, have layered multiple identity solutions over years without full integration, resulting in fragmented IAM environments.
Cloud misconfiguration: the epidemic nobody seems to want to discuss¶
Resources examining how cloud adoption created a new category of technical debt through misconfiguration and complexity.
The misconfiguration crisis¶
Cloud Misconfiguration: The #1 Cause of Data Breaches 2025, Fidelis Security, November 2025. IBM’s research shows global average cost of data breach reached 4.44 million dollars in 2025, with U.S. companies facing 10.22 million dollars per incident. CISA issued Binding Operational Directive 25-01 in December 2024 mandating federal agencies secure cloud environments specifically due to widespread cloud misconfigurations exposing sensitive data. Human errors are primary root cause of cloud misconfigurations, responsible for 99 percent of related security issues.
Cloud Security is Failing in 2025 Due to Misconfigurations, Cloud PSO, May 2025. Average breach cost due to misconfigurations is approximately 4.88 million dollars globally. Breaches involving remote work can cost even more, averaging 4.99 million dollars. Carnegie Mellon study estimates average 8 percent increase in U.S. electricity bills by 2030 due to data centres, with potential increases exceeding 25 percent in high-demand markets.
Cloud Misconfigurations: Still the Biggest Threat in 2025?, RSA Conference, 2025. SentinelOne found almost 23 percent of cloud security incidents stem from misconfigurations. Cloud Security Alliance’s latest Top Threats report listed “Misconfiguration and inadequate change control” as number one cloud threat above even zero-day attacks. Clouds are big, dynamic, and easy to deploy, which means they’re prone to human error. Lack of visibility or expertise means settings get overlooked.
50+ Cloud Security Statistics in 2025, SentinelOne, three weeks ago. Organizations now see 1,925 cyberattacks per week, 47 percent jump from 2024. Ransomware incidents surged 126 percent in Q1 2025 alone. 27 percent of organisations using public clouds faced security incidents in 2024, up 10 percent from year before, including average of 43 misconfigurations per account. Average time to detect cloud breach is still 277 days.
Major breach case studies¶
Case Study: Inadequate Configuration & Change Control, Cloud Security Alliance, 2025. Football Australia 2024 breach resulted from developers misconfiguring AWS S3 buckets. Misconfigured AWS S3 buckets are leading cause of cloud data leaks. Publicly available IoT search tools like Shodan, Binary Edge, and Grayhat Warfare make it relatively easy to find unprotected data repositories. In 2023, researchers estimated average cost of data breach notifications was 370,000 dollars USD.
60+ Cloud Security Statistics: Quick Facts for 2025, Sprinto, October 2025. By 2025, 80 percent of companies had experienced cloud security breach in past year. 60 percent of organisations reported public-cloud incidents in 2024. Dell brute force attack in 2024 exposed 49 million records. Toyota misconfiguration in 2023 exposed 260,000 customer records. Real Estate Wealth Network leak in 2023 exposed 1.5 billion records. McDonald’s cyber incident in 2025 leaked 64 million job applicant records via chatbot compromise.
100+ Cloud Security Statistics for 2025, Spacelift, October 2025. Cloud security incidents have affected 80 percent of companies in past year. More than 60 percent of organisations experienced security incidents related to public cloud usage in 2024. In 2024, phishing was most prevalent cloud security breach, affecting 73 percent of organisations. Preventing cloud misconfigurations was top security priority for over half of companies in 2023. Public sector (88 percent) and startups (89 percent) were main victims of cloud security breaches in 2023.
Detecting and Remediating Misconfigurations in Cloud Environments, Cyber Security News, May 2025. Misconfigurations have emerged as critical vulnerability, accounting for 23 percent of cloud security incidents and 81 percent of cloud-related breaches in 2024. Capital One breach in 2025 exposed 100 million records due to misconfigured firewall. Cloud Security Alliance study revealed 82 percent of enterprises experienced security incidents from misconfigurations. With misconfiguration-related breaches projected to cost enterprises 5 trillion dollars annually by 2026, time for action is now.
61 Cloud Security Statistics You Must Know in 2025, Exabeam, one month ago. 80 percent of companies experienced serious cloud security issue in 2023. Average cost of data breach is 4.35 million dollars. 51 percent of organisations plan to increase cloud security investments. 23 percent of cloud security incidents stem from misconfigurations. 89 percent of businesses impacted by misconfigurations were startups. 45 percent of data breaches occur in cloud. 56 percent of organisations struggle to secure data across multi-cloud environments. 45 percent lack qualified staff to manage multi-cloud security.
Top 10 Cloud Misconfigurations to Avoid and How to Fix Them, SecPod, July 2025. IBM X-Force Threat Intelligence Index 2024 found misconfigured cloud services were involved in nearly 25 percent of cloud security incidents, second only to stolen credentials. Verizon’s 2024 DBIR notes that errors, including misconfigurations, account for nearly 30 percent of breaches. 43 percent of cloud-infrastructure secrets exposed in public repos were Google Cloud API keys according to 2025 Verizon DBIR. Median time to remediate leaked secrets is 94 days. According to Cloudwards (2024), only 11 percent of businesses encrypt almost all their cloud data.
Software supply chain: dependency hell and cascading failures¶
Resources examining vulnerabilities in software dependencies and supply chain attacks.
The supply chain crisis¶
The 2025 Software Supply Chain Security Report, ReversingLabs, 2025. 2024 saw Common Vulnerabilities and Exposures system for tracking software flaws falter, missing critical information needed by security teams. NIST announced in February it would cease enriching CVEs, hobbling AppSec teams by denying them critical information like severity scores, patching statuses, and vulnerability descriptions. This coincides with breakdown in CVE reporting system driven by increased volume of CVEs and insufficient staffing and funding for National Vulnerability Database.
Why You Can’t Afford to Ignore Software Supply Chain Attacks, Ivanti, May 2025. Ivanti’s 2025 State of Cybersecurity Report revealed just 1 in 3 organisations feel prepared to protect themselves from software supply chain threats. 75 percent of all software supply chains reported attacks in 2024. Gartner predicted 45 percent of organisations will have experienced software supply chain attack by 2025. Single organisation uses average of 112 SaaS applications according to 2024 BetterCloud report. Each software application has 150 dependencies, 90 percent of which are indirect dependencies accounting for vast majority of vulnerabilities.
Securing software supply chains: how to safeguard against hidden dependencies, World Economic Forum, January 2025. July 2024 IT outage saw flawed update to cloud-based security software trigger malfunctions in 8.5 million Microsoft Windows devices, disrupting airlines, banks, broadcasters, healthcare systems, and payment infrastructure worldwide. Global Cybersecurity Outlook 2025 demonstrated that vulnerabilities arising from complex supply chain interdependencies are primary concern for business and cyber leaders. EU Cyber Resilience Act mandates third-party supplier assessments with non-compliance penalties of up to 15 million euros or 2.5 percent of organisation’s global revenue.
The Hidden Danger in Your Software: Understanding Supply Chain Attacks, RSA Conference, 2024. More than 75 percent of software supply chains experienced cyberattacks in 2024. North Korean threat actors were able to implant malicious code into trading software at 3CX. Employee downloaded that trading software onto laptop, allowing threat actors to gain access to build environment and application’s desktop, then placed another implant that was subsequently downloaded by customers.
A03 Software Supply Chain Failures, OWASP Top 10:2025 RC1, 2025. Top-ranked in Top 10 community survey with exactly 50 percent respondents ranking it number one. Since appearing in 2013 Top 10 as “Using Components with Known Vulnerabilities,” risk has grown in scope to include all supply chain failures. Only 11 CVEs have related CWEs, but when tested this category has highest average incidence rate at 5.19 percent.
State of open source dependencies¶
State of the Software Supply Chain Report, Sonatype, 2024. Log4Shell demonstrated how vulnerabilities in seemingly obscure open source component could ripple through entire software ecosystem. Over 300,000 projects had slowed or halted their release cadence by 2024, indicating burnout, resource shortages, or shifting priorities. In 2017, mean time to remediate vulnerabilities was relatively short with some fixes in under 25 days. By 2023 and 2024, delays increased significantly with some projects taking over 400 days to release secure updates. In 2024, several projects had average fix times exceeding 300 days, with one reaching 470 days.
2024 State of the Software Supply Chain, Sonatype, 2024. Number of malicious packages grew 156 percent year-over-year. JavaScript (npm) accounted for staggering 4.5 trillion requests in 2024, representing 70 percent year-over-year growth. 13 percent of Log4j downloads remain vulnerable three years after Log4Shell vulnerability was exposed. 80 percent of application dependencies remain un-upgraded for over a year, even though 95 percent of these vulnerable versions have safer alternatives readily available. Even when updates applied, 3.6 percent of dependencies are still vulnerable because they were updated to another insecure version.
Software supply chain attacks surge, as ransomware groups escalate and industrial sectors face more exposure, Industrial Cyber, November 2025. Cyble shows software supply chain attacks surged in October 2025, setting new record more than 30 percent higher than previous peak in April. Since April, supply chain attacks stayed at elevated levels, averaging more than 28 per month, more than twice the 13 monthly attacks seen between early 2024 and March 2025. IT was most targeted sector with nearly 120 attacks.
Top 5 Software Supply Chain Security Threats To Watch in 2025, Finite State, February 2025. In March 2024, Check Point reported discovering 500 malicious typosquatted PyPi packages. Use of these typosquatted packages by developers introduced unwanted functionality into applications, resulting in project compromise. Ransomware remains highly profitable and disruptive, but modern attacks have evolved beyond simple file encryption. Threat actors now leverage supply chain vulnerabilities to compromise multiple organisations simultaneously.
The systems are fragile. The infrastructure is aging. A lot of configurations are wrong.
Technical debt is not a temporary problem that organisations will eventually fix. It’s a structural feature of how systems are built, maintained, and evolved. Quick decisions create long-term consequences. Deferred maintenance compounds exponentially. Legacy systems persist because replacing them is harder than keeping them alive. Cloud adoption creates new categories of misconfiguration faster than security teams can address old ones. Software dependencies multiply vulnerabilities whilst appearing to simplify development.