A4 Article in conference proceedings

Security risk assessment and management as technical debt




List of Authors: Rindell K., Holvitie J.

Conference name: International Conference on Cyber Security and Protection of Digital Services

Publisher: Institute of Electrical and Electronics Engineers Inc.

Publication year: 2019

Book title *: 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

Journal name in source: 2019 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2019

ISBN: 978-1-7281-0230-6

eISBN: 978-1-7281-0229-0

DOI: http://dx.doi.org/10.1109/CyberSecPODS.2019.8885100


Abstract

The endeavor to achieving software security consists of a set of
risk-based security engineering processes during software development.
In iterative software development, the software design typically evolves
as the project matures, and the technical environment may undergo
considerable changes. This increases the work load of identifying,
assessing and managing the security risk by each iteration, and after
every change. Besides security risk, the changes also accumulate
technical debt, an allegory for postponed or sub-optimally performed
work. To manage the security risk in software development efficiently,
and in terms and definitions familiar to software development
organizations, the concept of technical debt is extended to contain
security debt. To accommodate new technical debt with potential security
implications, a security debt management approach is introduced. The
selected approach is an extension to portfolio-based technical debt
management framework. This includes identifying security risk in
technical debt, and also provides means to expose debt by security
engineering techniques that would otherwise remained hidden. The
proposed approach includes risk-based extensions to prioritization
mechanisms in existing technical debt management systems.
Identification, management and repayment techniques are presented to
identify, assess, and mitigate the security debt.


Last updated on 2021-24-06 at 10:41