This study addresses the ambiguity in recognizing security debt (SD), fragmented management practices, and insufficient cross-role communication—challenges exacerbated by delivery pressure and resource constraints in software development. Through semi-structured interviews with 22 practitioners from diverse countries and roles (development, security, operations), complemented by qualitative analysis grounded in both software engineering (SE) and information security (InfoSec) perspectives, the research systematically identifies SD root causes, propagation pathways, and trade-off mechanisms. It is the first to empirically reveal significant inter-role discrepancies in security risk perception, priority assessment, and tool adoption. The study proposes an integrated framework embedding the CIA triad (Confidentiality, Integrity, Availability) into each phase of the software development lifecycle (SDLC). Findings validate the necessity of enforcing consistent security policies, dynamically balancing resources, and enabling cross-level risk communication—providing empirical foundations and actionable pathways for systemic SD governance.

With the increasing reliance on software and automation nowadays, tight deadlines, limited resources, and prioritization of functionality over security can lead to insecure coding practices. When not handled properly, these constraints cause unaddressed security vulnerabilities to accumulate over time, forming Security Debts (SDs). Despite their critical importance, there is limited empirical evidence on how software practitioners perceive, manage, and communicate SDs in real-world settings. In this paper, we present a qualitative empirical study based on semi-structured interviews with 22 software practitioners across various roles, organizations, and countries. We address four research questions: i) we assess software practitioners' knowledge of SDs and awareness of associated security risks, ii) we investigate their behavior towards SDs, iii) we explore common tools and strategies used to mitigate SDs, and iv) we analyze how security risks are communicated within teams and to decision makers. We observe variations in how practitioners perceive and manage SDs, with some prioritizing delivery speed over security, while others consistently maintain security as a priority. Our findings emphasize the need for stronger integration of security practices across the Software Development Life Cycle (SDLC), more consistent use of mitigation strategies, better balancing of deadlines, resources, and security-related tasks, with attention to the Confidentiality, Integrity, and Availability (CIA) triad.