Metrics That Matter: Quantifying Software Security Risk
نویسنده
چکیده
Any endeavor worth pursuing is worth measuring, but software security presents new measurement challenges: there are no established formulas or procedures for quantifying the security risk present in a program. This document details the importance of measuring software security and discusses the less-thansatisfying approaches that are prevalent today. A new set of metrics is then proposed for ensuring an accurate and comprehensive view of software projects ranging from legacy systems to newly deployed web applications. Many of the new metrics make use of source code analysis results.
منابع مشابه
Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server
Software Security metrics are quantitative measures related to a software system’s level of trustworthiness. They can be used to aid in resource allocation, program planning, risk assessment, and product and service selection. Recently researchers have proposed several software security metrics. Among these are attack surface and vulnerability density. The attack surface measure has been used b...
متن کاملMetrics for Secure Operating Practices: a Forsaken Variable in Risk Measurement
If the components of security assurance are broadly defined in terms of capabilities (IT hardware and software products) and operations (systems management and process), this approach endeavors to quantify the operations component. That is, by quantifying the probability of secure operating practices, the risk evaluation of “cyber damage” will be more accurate. An oft-quoted mantra of security ...
متن کاملAggregating vulnerability metrics in enterprise networks using attack graphs
Quantifying security risk is an important and yet difficult task in enterprise network security management. While metrics exist for individual software vulnerabilities, there is currently no standard way of aggregating such metrics. We present a model that can be used to aggregate vulnerability metrics in an enterprise network, producing quantitative metrics that measure the likelihood breaches...
متن کاملRisk-Driven Security Metrics in Agile Software Development - An Industrial Pilot Study
The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of develop...
متن کاملA Review of Security Metrics in Software Development Process
Security level, security performance, and security indicators have become standard terms to define security metrics. The data derived from these metrics helps in measurement of software security. The metrics help achieve security objectives – confidentiality, integrity and availability. The security can be assessed for further improvement during development process of the software or the produc...
متن کامل