TechDebt 2019
Sun 26 - Mon 27 May 2019 Montreal, QC, Canada
co-located with ICSE 2019
Sun 26 May 2019 14:00 - 14:20 at Viger - Technical Debt in Practice Chair(s): Heiko Koziolek

Context: Managing technical debt (TD) associated with external cybersecurity attacks on an organization can significantly improve decisions made when prioritizing which security weaknesses require attention. Whilst source code vulnerabilities can be found using static analysis techniques, malicious external attacks expose the vulnerabilities of a system at runtime and can sometimes remain hidden for long periods of time. By mapping malicious attack tactics to the consequences of weaknesses (i.e. exploitable source code vulnerabilities) we can begin to understand and prioritize the refactoring of the source code vulnerabilities that cause the greatest amount of technical debt on a system. Goal: To establish an approach that maps common external attack tactics to system weaknesses. The consequences of a weakness associated with a specific attack technique can then be used to determine the technical debt principal of said violation; which can be measured in terms of loss of business rather than source code maintenance. Method: We present a position study that uses Jaccard similarity scoring to examine how 11 malicious attack tactics can relate to Common Weakness Enumerations (CWEs). Results: We conduct a study to simulate attacks, and generate dependency graphs between external attacks and the technical consequences associated with CWEs. Conclusion: The mapping of cyber security attacks to weaknesses allows operational staff (SecDevOps) to focus on deploying appropriate countermeasures and allows developers to focus on refactoring the vulnerabilities with the greatest potential for technical debt.

Sun 26 May

14:00 - 15:00: TechDebt 2019 - Technical Debt in Practice at Viger
Chair(s): Heiko KoziolekABB Corporate Research
TechDebt-201914:00 - 14:20
Clemente IzurietaMontana State University, Mary ProutyGeorgia Institute of Technology
TechDebt-201914:20 - 14:40
Richard BrennerChaco Canyon Consulting
TechDebt-201914:40 - 15:00
Geir Kjetil HanssenSINTEF, Norway, Antonio MartiniUniversity of Oslo, Norway