Visible to the public Leveraging SecDevOps to Tackle the Technical Debt Associated with Cybersecurity Attack Tactics

TitleLeveraging SecDevOps to Tackle the Technical Debt Associated with Cybersecurity Attack Tactics
Publication TypeConference Paper
Year of Publication2019
AuthorsIzurieta, Clemente, Prouty, Mary
Conference Name2019 IEEE/ACM International Conference on Technical Debt (TechDebt)
Date Publishedmay
KeywordsCommon Weakness Enumerations, composability, computer security, cybersecurity, cybersecurity attack tactics, exploitable source code vulnerabilities, external attack tactics, external cybersecurity attacks, malicious attack tactics, malicious external attacks, Organizations, program diagnostics, pubcrawl, quality assurance, Scalability, SecDevOps, security of data, Software, software assurance, software maintenance, Software measurement, software quality, source code (software), source code maintenance, static analysis, static analysis techniques, system weaknesses, technical consequences, technical debt, technical debt principal, Tools
AbstractContext: Managing technical debt (TD) associated with external cybersecurity attacks on an organization can significantly improve decisions made when prioritizing which security weaknesses require attention. Whilst source code vulnerabilities can be found using static analysis techniques, malicious external attacks expose the vulnerabilities of a system at runtime and can sometimes remain hidden for long periods of time. By mapping malicious attack tactics to the consequences of weaknesses (i.e. exploitable source code vulnerabilities) we can begin to understand and prioritize the refactoring of the source code vulnerabilities that cause the greatest amount of technical debt on a system. Goal: To establish an approach that maps common external attack tactics to system weaknesses. The consequences of a weakness associated with a specific attack technique can then be used to determine the technical debt principal of said violation; which can be measured in terms of loss of business rather than source code maintenance. Method: We present a position study that uses Jaccard similarity scoring to examine how 11 malicious attack tactics can relate to Common Weakness Enumerations (CWEs). Results: We conduct a study to simulate attacks, and generate dependency graphs between external attacks and the technical consequences associated with CWEs. Conclusion: The mapping of cyber security attacks to weaknesses allows operational staff (SecDevOps) to focus on deploying appropriate countermeasures and allows developers to focus on refactoring the vulnerabilities with the greatest potential for technical debt.
Citation Keyizurieta_leveraging_2019