Rampant lapses in software supply chain security don’t manifest suddenly. They build up over months and years, one out-of-date component, overly permissive account, or misconfigured API at a time. And over time, these gaps mount up, like bad credit card debt on the ledger of supply chain security.

Each charge against security technical debt may seem inconsequential, and many are incurred on purpose — “just for now” — so the DevOps team can speed up the next minimum viable product release or high-priority feature request; they figure they’ll deal with it at some future date. Most of the time, though, teams never get back to those security problems.

Andrew Barratt, vice president at the cybersecurity advisory service Coalfire, said it is arguable that almost all application security lapses come down to technical debt you were either aware of “or didn’t know you didn’t know.