A composed technical debt identification methodology to predict software vulnerabilities

“…Some authors refer security debt as technical debt containing a security risk [7] or potential security implications [8]. Security engineering techniques (e.g., risk analysis) are used to identify the security debt [6], [8] and security risk in software can be described [7], [11] Technical debt can be a source of security debt [1], [3], [8] Tradeoffs of security and other quality attributes (e.g., performance) might force to assume security debt [5], [14] Organizational Organization policies should prioritize security debt [12], [19] Security awareness and skills are needed to avoid security debt [8], [13] Security debt involves different stakeholders requiring discussions and decision making among them [5], [14] Consequences Business damage: High interest of the debt [8], [9], [12], [14], [16], [21] Interest will be paid mainly when someone exploit the vulnerability [8], [9], [16], [21] Paying the principal of the security debt might require to change processes [16], [19] in terms of technical debt [8], e.g., including the probability attribute to the security debt item to measure the chances that the security-related defect can be actually exploited [5].…”

“…Another characteristic of security debt is that traditional technical debt can be the source of security debt, e.g., suboptimal internal quality in a security critical software component [8]. Under this hypothesis, the correlation between technical debt indicators and software vulnerabilities can identify security debt [1], [3].…”

“…Across the product life-cycle All the stages/disciplines are subject to generate security debt [6]- [8], [10], [13], [14] Identification of security debt is a continuous process [7], [11] Risk management Extending security risk management to manage security debt [7], [8], [11] Risk assessment can be used to quantify and prioritize the items [7]- [9], [12] Identification techniques Security V&V can help to identify security debt [8] Assurance can help to identify security debt [5], [7] Technical debt indicators can help to identify security debt [1], [3], [8] Instances SecDevOps [9] Cybersecurity framework extended with Security debt [5] As mentioned in Section III-B, the identification of security debt should be a continuous process across the product lifecycle [7]. It is not appropriate to think of security as a component that can be added after the product is built, or that it is a quality attribute that can be checked just once.…”

“…The third one is the technical debt management process. As presented in Section III-B, recent works try to correlate technical debt indicators to security risks [1], [3], [8].…”

“…At the end, the total number of relevant publications from which data was extracted were 22. Those originated from the database search after the filters and not excluded after reading were [1]- [17], and the not excluded ones originated from the snowballing were [18]- [22].…”

Security Debt: Characteristics, Product Life-Cycle Integration and Items

“…Some authors refer security debt as technical debt containing a security risk [7] or potential security implications [8]. Security engineering techniques (e.g., risk analysis) are used to identify the security debt [6], [8] and security risk in software can be described [7], [11] Technical debt can be a source of security debt [1], [3], [8] Tradeoffs of security and other quality attributes (e.g., performance) might force to assume security debt [5], [14] Organizational Organization policies should prioritize security debt [12], [19] Security awareness and skills are needed to avoid security debt [8], [13] Security debt involves different stakeholders requiring discussions and decision making among them [5], [14] Consequences Business damage: High interest of the debt [8], [9], [12], [14], [16], [21] Interest will be paid mainly when someone exploit the vulnerability [8], [9], [16], [21] Paying the principal of the security debt might require to change processes [16], [19] in terms of technical debt [8], e.g., including the probability attribute to the security debt item to measure the chances that the security-related defect can be actually exploited [5].…”

“…Another characteristic of security debt is that traditional technical debt can be the source of security debt, e.g., suboptimal internal quality in a security critical software component [8]. Under this hypothesis, the correlation between technical debt indicators and software vulnerabilities can identify security debt [1], [3].…”

“…Across the product life-cycle All the stages/disciplines are subject to generate security debt [6]- [8], [10], [13], [14] Identification of security debt is a continuous process [7], [11] Risk management Extending security risk management to manage security debt [7], [8], [11] Risk assessment can be used to quantify and prioritize the items [7]- [9], [12] Identification techniques Security V&V can help to identify security debt [8] Assurance can help to identify security debt [5], [7] Technical debt indicators can help to identify security debt [1], [3], [8] Instances SecDevOps [9] Cybersecurity framework extended with Security debt [5] As mentioned in Section III-B, the identification of security debt should be a continuous process across the product lifecycle [7]. It is not appropriate to think of security as a component that can be added after the product is built, or that it is a quality attribute that can be checked just once.…”

“…The third one is the technical debt management process. As presented in Section III-B, recent works try to correlate technical debt indicators to security risks [1], [3], [8].…”

“…At the end, the total number of relevant publications from which data was extracted were 22. Those originated from the database search after the filters and not excluded after reading were [1]- [17], and the not excluded ones originated from the snowballing were [18]- [22].…”

Security Debt: Characteristics, Product Life-Cycle Integration and Items

Forecasting technical debt evolution in software systems: an empirical study

A memory-related vulnerability detection approach based on vulnerability model with Petri Net