Security
Software security is the practice of protecting applications and systems from threats, vulnerabilities, and unauthorized access. Security and maintainability are the same fight. Unmaintained code accumulates vulnerabilities. Outdated dependencies create attack surfaces. Poor operational practices slow incident response. Security isn't an audit you do once. It's a habit you build.
Key Statistics
- • The average cost of a data breach reached $4.45 million in 2023, a 15% increase over three years. / IBM Cost of a Data Breach Report
- • 84% of codebases contain at least one known open source vulnerability, with an average of 48 vulnerabilities per codebase. / Synopsys OSSRA Report
- • The mean time to remediate critical security vulnerabilities is 60 days, with some organizations taking over 200 days. / Veracode State of Software Security Report
- • Only 36% of organizations have a mature DevSecOps practice that integrates security into the development lifecycle. / GitLab DevSecOps Survey
Why This Matters
Security is not a feature you bolt on at the end. It's a property of well-maintained software. If your codebase is hard to change, it's also hard to secure. Teams that struggle to upgrade dependencies or patch vulnerabilities aren't just slow. They're exposed.
Here's the good news: the practices that make software maintainable also make it secure. Automated dependency updates. Deployment pipeline controls. Observability. Strong on-call systems. Infrastructure-as-code. You don't have to choose between security and velocity. You just have to invest in the foundation.
On the Maintainable Software Podcast, security practitioners and engineering leaders share how they build security into their development and operational practices, from cloud resource security to deployment pipeline trust and risk tolerance.
Episodes on Security
EP-026 | October 7, 2019
Patricia Aas: Intersection of Programming & Security
EP-117 | April 4, 2022
Aran Khanna - De-risk Your Cloud Resources
EP-035 | December 16, 2019
Abby Bangser: Building Trust In Your Deployment Pipeline
EP-115 | March 21, 2022
Idit Levine - Production is the Real Test
EP-094 | March 29, 2021
Brian Scanlan: Improving Oncall Support with Meaningful Alarms
EP-155 | January 9, 2024
Hila Fish - Maintainable Infrastructure Code, Culture, and Documentation
EP-079 | December 14, 2020
Trae Robrock: Understanding Your Risk Tolerance As An Engineer
EP-014 | July 14, 2019
Steve Poling: The Real Enemy is Murphy
Frequently Asked Questions
How does security relate to software maintainability?
When code is hard to change, it's hard to patch. The teams that take months to remediate vulnerabilities are the same teams that struggle to upgrade dependencies or deploy quickly. The fix isn't a security initiative. It's a maintainability initiative. Automated testing, continuous deployment, and clean architecture make it easier to respond to threats fast.
What are the most common security risks in legacy systems?
Legacy systems face risks from outdated dependencies with known vulnerabilities, deprecated authentication mechanisms, missing input validation, unpatched operating systems, lack of encryption for data at rest and in transit, and insufficient logging and monitoring. The biggest risk is often that no one fully understands the system well enough to assess its security posture.
How do you build security into your deployment pipeline?
Integrate security checks at every stage: static analysis in CI, dependency vulnerability scanning, secrets detection, container image scanning, and automated compliance checks. Use infrastructure-as-code to ensure consistent environments. Implement progressive rollouts and automated rollbacks. Build trust in the pipeline through transparency and monitoring, not manual gates.
What is risk tolerance in software engineering?
Risk tolerance is the level of risk an organization is willing to accept in its software systems. It varies by context. A medical device has very low risk tolerance. An internal admin tool might accept more. Understanding your risk tolerance helps you make appropriate trade-offs between speed and safety, and decide how much to invest in testing, monitoring, and redundancy.
How do you balance security with development speed?
Shift security left. Embed it into daily development work instead of treating it as a separate phase. Automated security scanning in CI/CD pipelines, security-focused code review checklists, threat modeling during design, and regular dependency updates all improve security without slowing down delivery. The key is consistency, not heroics.