The endeavor to achieving software security consists of a set of
risk-based security engineering processes during software development.
In iterative software development, the software design typically evolves
as the project matures, and the technical environment may undergo
considerable changes. This increases the work load of identifying,
assessing and managing the security risk by each iteration, and after
every change. Besides security risk, the changes also accumulate
technical debt, an allegory for postponed or sub-optimally performed
work. To manage the security risk in software development efficiently,
and in terms and definitions familiar to software development
organizations, the concept of technical debt is extended to contain
security debt. To accommodate new technical debt with potential security
implications, a security debt management approach is introduced. The
selected approach is an extension to portfolio-based technical debt
management framework. This includes identifying security risk in
technical debt, and also provides means to expose debt by security
engineering techniques that would otherwise remained hidden. The
proposed approach includes risk-based extensions to prioritization
mechanisms in existing technical debt management systems.
Identification, management and repayment techniques are presented to
identify, assess, and mitigate the security debt.