Managing security debt across PLC phases in a VSE context

AbstractAbstractNowadays, security and safety aspects are two of the major concerns for any software system development, especially while developing safety critical systems. This is especially relevant for very small entities because they have a limited amount of resources for dealing with all these aspects at the same time. In addition, these systems are highly regulated domains, and they involve a huge set of standards focused on safety and security‐related issues. Therefore, these small entities are not only facing hurdles related to technical aspects but also from the so‐called technical debt when overarching a critical development. This paper extends the assurance cases approach by integrating security aspects within the life cycle, and it proposes a framework for managing the associated security technical debt for very small entities. A tool chain is outlined, and the approach is illustrated with an industrial use case.