From Vulnerability Severity to Security Debt

Abstract

Web application security reports commonly list vulnerabilities according to technical severity, yet low-resource organizations often need a more practical answer: which weakness will become the most costly security debt if remediation is delayed? This manuscript proposes SECURE-DEBT, an evidence-driven model for prioritizing OWASP 2025 web application risks in resource-constrained healthcare-style and small-to-medium enterprise (SME) systems. The model treats unresolved vulnerabilities as accumulating security debt when evidence, exposure, sensitive data, exploitability, operational dependency, and remediation delay combine to raise future risk. The study is designed as a framework-based conceptual research article with an illustrative case-study evaluation protocol. It maps findings to the OWASP Top 10:2025 categories, collects penetration-testing evidence using manual and tool-assisted methods, assigns factor scores, and produces a Security Debt Priority Score. The proposed score integrates technical severity, exploitability, evidence confidence, data sensitivity, operational impact, exposure level, and delay risk, while subtracting remediation simplicity as a debt-reducing factor. The article also provides a comparison framework against conventional High/Medium/Low reporting and CVSS-style severity ranking. The contribution of the manuscript is a practical, transparent, and auditable prioritization approach for organizations that cannot fix every issue immediately but still need defensible remediation decisions. The framework supports penetration testers, developers, healthcare application owners, and SME decision makers by connecting technical evidence with remediation urgency, business continuity, and long-term debt reduction.