The emergence of Internet-of-Things has imposed more stringent security requirements on SoC devices. Basic security requirements include confidentiality and integrity, which imply less observability and controllability of the SoC from the outside world. On the other hand, observability and controllability are essential to SoC debug activities. Without bearing in mind the conflicting nature of security and debug requirements, sensitive information on the SoC can be compromised due to vulnerabilities introduced by debug circuitry. This paper reviews the security hazards that can be induced by SoC debug components and discusses the challenges of striking a balance between the security and debug requirements. We review the current practice, and provide an industrial perspective on how this problem can be better solved in the future.