Visible to the public A Position Study to Investigate Technical Debt Associated with Security Weaknesses

TitleA Position Study to Investigate Technical Debt Associated with Security Weaknesses
Publication TypeConference Paper
Year of Publication2018
AuthorsIzurieta, C., Kimball, K., Rice, D., Valentien, T.
Conference Name2018 IEEE/ACM International Conference on Technical Debt (TechDebt)
Keywordscatching vulnerabilities, common weakness enumeration, common weakness scoring system, Companies, CWSS scores, decidedly negative impacts, design level CWE, exploitable weaknesses, five-step approach, Human Behavior, Metrics, policy-based governance, potential security breaches, pubcrawl, quality assurance, Quamoco quality model, resilience, scoring mechanism, security, security of data, security weaknesses, Software, software development management, software lifecycle, Software measurement, software quality, static analysis, TD, technical debt, Tools
AbstractContext: Managing technical debt (TD) associated with potential security breaches found during design can lead to catching vulnerabilities (i.e., exploitable weaknesses) earlier in the software lifecycle; thus, anticipating TD principal and interest that can have decidedly negative impacts on businesses. Goal: To establish an approach to help assess TD associated with security weaknesses by leveraging the Common Weakness Enumeration (CWE) and its scoring mechanism, the Common Weakness Scoring System (CWSS). Method: We present a position study with a five-step approach employing the Quamoco quality model to operationalize the scoring of architectural CWEs. Results: We use static analysis to detect design level CWEs, calculate their CWSS scores, and provide a relative ranking of weaknesses that help practitioners identify the highest risks in an organization with a potential to impact TD. Conclusion: CWSS is a community agreed upon method that should be leveraged to help inform the ranking of security related TD items.
Citation Keyizurieta_position_2018