Title | Security Risk Assessment and Management as Technical Debt |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Rindell, Kalle, Holvitie, Johannes |
Conference Name | 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) |
Keywords | Information security, Iterative methods, iterative software development, Metrics, Organizations, portfolio-based technical debt management framework, pubcrawl, Resiliency, risk analysis, risk management, risk-based extensions, risk-based security engineering processes, Scalability, security debt, security debt management approach, security engineering techniques, security management, security of data, security risk assessment, security risk management, Software, software design, software development organizations, software engineering, software security, technical debt, technical debt management systems, Unified modeling language |
Abstract | The endeavor to achieving software security consists of a set of risk-based security engineering processes during software development. In iterative software development, the software design typically evolves as the project matures, and the technical environment may undergo considerable changes. This increases the work load of identifying, assessing and managing the security risk by each iteration, and after every change. Besides security risk, the changes also accumulate technical debt, an allegory for postponed or sub-optimally performed work. To manage the security risk in software development efficiently, and in terms and definitions familiar to software development organizations, the concept of technical debt is extended to contain security debt. To accommodate new technical debt with potential security implications, a security debt management approach is introduced. The selected approach is an extension to portfolio-based technical debt management framework. This includes identifying security risk in technical debt, and also provides means to expose debt by security engineering techniques that would otherwise remained hidden. The proposed approach includes risk-based extensions to prioritization mechanisms in existing technical debt management systems. Identification, management and repayment techniques are presented to identify, assess, and mitigate the security debt. |
DOI | 10.1109/CyberSecPODS.2019.8885100 |
Citation Key | rindell_security_2019 |