Technical debt as an indicator of software security risk: a machine learning approach for software development enterprises

Siavvas, Miltiadis; Tsoukalas, Dimitrios; Janković, Marija; Kehagias, Dionysios; Tzovaras, Dimitrios

doi:10.1080/17517575.2020.1824017

Cited by 27 publications

(19 citation statements)

References 86 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main goal of the SDK4ED project is to minimize cost, development time, and complexity of lowenergy software development processes, by providing a set of innovative solutions (i.e., toolboxes) integrated into the form of an easy-to-use platform for automatic optimization and trade-off calculation among important design-time and run-time software quality attributes. More specifically, the outcome of the project so far showcases numerous research and technical achievements with respect to the optimization of the targeted quality attributes, namely Maintainability [3,5,16,37,50], Dependability [32,33,[51][52][53][54], Energy Consumption [23,24,42,67], as well as Quality Forecasting [60,61,63] and Decision Support [47,[55][56][57] throughout the overall software development cycle. The SDK4ED TD Forecasting tool, integrated into the TD Management (TDM) framework, aims to provide predictive forecasts regarding the evolution of the TD quality attribute.…”

Section: Rq : Can Data Clustering Improve the Accuracy Of Crossproject Td Forecasting?mentioning

confidence: 99%

A Clustering Approach Towards Cross-Project Technical Debt Forecasting

et al. 2021

Self Cite

View full text Add to dashboard Cite

Technical debt (TD) describes quality compromises that can yield short-term benefits but may negatively affect the quality of software products in the long run. A wide range of tools and techniques have been introduced over the years in order for the developers to be able to determine and manage TD. However, being able to also predict its future evolution is of equal importance to avoid its accumulation, and, in turn, the unlikely event of making the project unmaintainable. Although recent research endeavors have showcased the feasibility of building accurate project-specific TD forecasting models, there is a gap in the field regarding cross-project TD forecasting. Cross-project TD forecasting is of practical importance, since it would enable the application of pre-existing forecasting models on previously unknown software projects, especially new projects that do not exhibit sufficient commit history to enable the construction of project-specific models. To this end, in the present paper, we focus on cross-project TD forecasting, and we examine whether the consideration of similarities between software projects could be the key for more accurate forecasting. More specifically, we propose an approach based on data clustering. In fact, a relatively large repository of software projects is divided into clusters of similar projects with respect to their TD aspects, and specific TD forecasting models are built for each cluster, using regression algorithms. According to our approach, previously unknown software projects are assigned to one of the defined clusters and the cluster-specific TD forecasting model is applied to predict future TD values. The approach was evaluated through several experiments based on real-world applications. The results of the analysis suggest that the proposed approach comprises a promising solution for accurate cross-project TD forecasting.

show abstract

Section: Rq : Can Data Clustering Improve the Accuracy Of Crossproject Td Forecasting?mentioning

confidence: 99%

A Clustering Approach Towards Cross-Project Technical Debt Forecasting

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…1) to compute these impacts and provide useful recommendations. Throughout the SDK4ED project, several empirical studies have been conducted for reaching conclusions with respect to potential trade-offs among the three quality attributes of choice [22,[30][31][32]34]. Based on the identified trade-offs, a multi-criteria decision-making (MCDM) model that leverages concepts from fuzzy logic has been developed [38], providing information about the impacts of the suggested refactorings.…”

Section: Technical Debt Management Toolboxmentioning

confidence: 99%

Investigating the Interaction between Energy Consumption, Quality of Service, Reliability, Security, and Maintainability of Computer Systems and Networks

et al. 2021

Self Cite

View full text Add to dashboard Cite

“…Some authors refer security debt as technical debt containing a security risk [7] or potential security implications [8]. Security engineering techniques (e.g., risk analysis) are used to identify the security debt [6], [8] and security risk in software can be described [7], [11] Technical debt can be a source of security debt [1], [3], [8] Tradeoffs of security and other quality attributes (e.g., performance) might force to assume security debt [5], [14] Organizational Organization policies should prioritize security debt [12], [19] Security awareness and skills are needed to avoid security debt [8], [13] Security debt involves different stakeholders requiring discussions and decision making among them [5], [14] Consequences Business damage: High interest of the debt [8], [9], [12], [14], [16], [21] Interest will be paid mainly when someone exploit the vulnerability [8], [9], [16], [21] Paying the principal of the security debt might require to change processes [16], [19] in terms of technical debt [8], e.g., including the probability attribute to the security debt item to measure the chances that the security-related defect can be actually exploited [5].…”

Section: B Characteristicsmentioning

confidence: 99%

“…Another characteristic of security debt is that traditional technical debt can be the source of security debt, e.g., suboptimal internal quality in a security critical software component [8]. Under this hypothesis, the correlation between technical debt indicators and software vulnerabilities can identify security debt [1], [3].…”

Section: B Characteristicsmentioning

confidence: 99%

“…Across the product life-cycle All the stages/disciplines are subject to generate security debt [6]- [8], [10], [13], [14] Identification of security debt is a continuous process [7], [11] Risk management Extending security risk management to manage security debt [7], [8], [11] Risk assessment can be used to quantify and prioritize the items [7]- [9], [12] Identification techniques Security V&V can help to identify security debt [8] Assurance can help to identify security debt [5], [7] Technical debt indicators can help to identify security debt [1], [3], [8] Instances SecDevOps [9] Cybersecurity framework extended with Security debt [5] As mentioned in Section III-B, the identification of security debt should be a continuous process across the product lifecycle [7]. It is not appropriate to think of security as a component that can be added after the product is built, or that it is a quality attribute that can be checked just once.…”

Section: Table Iii: Security Debt In the Product Life-cycle (Rq2) Characteristic Referencesmentioning

confidence: 99%

See 1 more Smart Citation

Security Debt: Characteristics, Product Life-Cycle Integration and Items

Martínez

Quintano

Ruíz

et al. 2021

2021 IEEE/ACM International Conference on Technical Debt (TechDebt)

View full text Add to dashboard Cite

Industries from very diverse domains are realising that security should not be treated in a reactive way (e.g., once the cyberattack has happened). This way, security-related requirements and risks need to be continuously managed, and the need of integrating technical measures should be continuously assessed. In some cases, some decisions led, intentionally or unintentionally, to debt related to security aspects. This security debt is thus incurred when limited approaches or solutions are applied to reach the expected security levels of the system in operation. Identifying and making explicit security debt items is a challenge for companies. In this work, we analyse the literature on security debt to provide initial insights on the topic. Concretely, we discuss its definition, identify its most salient characteristics, present approaches for integrating its management in the product life-cycle, and to present categories and examples of security debt items.

show abstract

Technical debt as an indicator of software security risk: a machine learning approach for software development enterprises

Cited by 27 publications

References 86 publications

A Clustering Approach Towards Cross-Project Technical Debt Forecasting

A Clustering Approach Towards Cross-Project Technical Debt Forecasting

Investigating the Interaction between Energy Consumption, Quality of Service, Reliability, Security, and Maintainability of Computer Systems and Networks

Security Debt: Characteristics, Product Life-Cycle Integration and Items

Contact Info

Product

Resources

About