Title | A Position Study to Investigate Technical Debt Associated with Security Weaknesses |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Izurieta, C., Kimball, K., Rice, D., Valentien, T. |
Conference Name | 2018 IEEE/ACM International Conference on Technical Debt (TechDebt) |
Keywords | catching vulnerabilities, common weakness enumeration, common weakness scoring system, Companies, CWSS scores, decidedly negative impacts, design level CWE, exploitable weaknesses, five-step approach, Human Behavior, Metrics, policy-based governance, potential security breaches, pubcrawl, quality assurance, Quamoco quality model, resilience, scoring mechanism, security, security of data, security weaknesses, Software, software development management, software lifecycle, Software measurement, software quality, static analysis, TD, technical debt, Tools |
Abstract | Context: Managing technical debt (TD) associated with potential security breaches found during design can lead to catching vulnerabilities (i.e., exploitable weaknesses) earlier in the software lifecycle; thus, anticipating TD principal and interest that can have decidedly negative impacts on businesses. Goal: To establish an approach to help assess TD associated with security weaknesses by leveraging the Common Weakness Enumeration (CWE) and its scoring mechanism, the Common Weakness Scoring System (CWSS). Method: We present a position study with a five-step approach employing the Quamoco quality model to operationalize the scoring of architectural CWEs. Results: We use static analysis to detect design level CWEs, calculate their CWSS scores, and provide a relative ranking of weaknesses that help practitioners identify the highest risks in an organization with a potential to impact TD. Conclusion: CWSS is a community agreed upon method that should be leveraged to help inform the ranking of security related TD items. |
Citation Key | izurieta_position_2018 |