Leveraging SecDevOps to Tackle the Technical Debt Associated with Cybersecurity Attack Tactics

Context: Managing technical debt (TD) associated with external cybersecurity attacks on an organization can significantly improve decisions made when prioritizing which security weaknesses require attention. Whilst source code vulnerabilities can be found using static analysis techniques, malicious external attacks expose the vulnerabilities of a system at runtime and can sometimes remain hidden for long periods of time. By mapping malicious attack tactics to the consequences of weaknesses (i.e. exploitable source code vulnerabilities) we can begin to understand and prioritize the refactoring of the source code vulnerabilities that cause the greatest amount of technical debt on a system. Goal: To establish an approach that maps common external attack tactics to system weaknesses. The consequences of a weakness associated with a specific attack technique can then be used to determine the technical debt principal of said violation; which can be measured in terms of loss of business rather than source code maintenance. Method: We present a position study that uses Jaccard similarity scoring to examine how 11 malicious attack tactics can relate to Common Weakness Enumerations (CWEs). Results: We conduct a study to simulate attacks, and generate dependency graphs between external attacks and the technical consequences associated with CWEs. Conclusion: The mapping of cyber security attacks to weaknesses allows operational staff (SecDevOps) to focus on deploying appropriate countermeasures and allows developers to focus on refactoring the vulnerabilities with the greatest potential for technical debt.

[1]  Kyriakos C. Chatzidimitriou,et al.  QATCH - An adaptive framework for software product quality assessment , 2017, Expert Syst. Appl..

[2]  Clemente Izurieta,et al.  An Industry Perspective to Comparing the SQALE and Quamoco Software Quality Models , 2017, 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[3]  Jean-Louis Letouzey,et al.  Managing Technical Debt with the SQALE Method , 2012, IEEE Software.

[4]  Philippe Kruchten,et al.  What is social debt in software engineering? , 2013, 2013 6th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE).

[5]  P. Jaccard,et al.  Etude comparative de la distribution florale dans une portion des Alpes et des Jura , 1901 .

[6]  Laurie A. Williams,et al.  Software security in DevOps: synthesizing practitioners' perceptions and practices , 2016, CSED@ICSE.

[7]  Clemente Izurieta,et al.  A Position Study to Investigate Technical Debt Associated with Security Weaknesses , 2018, 2018 IEEE/ACM International Conference on Technical Debt (TechDebt).

[8]  Joost Visser,et al.  An empirical model of technical debt and interest , 2011, MTD '11.

[9]  Reinhold Plösch,et al.  The Quamoco product quality modelling and assessment approach , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[10]  Bill Curtis,et al.  Estimating the Principal of an Application's Technical Debt , 2012, IEEE Software.

[11]  Richard T. Vidgen,et al.  An exploration of technical debt , 2013, J. Syst. Softw..