This paper does an extensive survey on software security metrics and put forth an effort to characterize design time software security. Misconceptions associated to security metrics have been identified and discussed. A list of characteristics good security metrics should posses is listed. In absence of any standard guideline or methodology to develop early stage security metrics, an effort has been made to provide a strong theoretical basis to develop such a framework. As a result, a Security Metrics Development Framework has been proposed in this paper. Our next effort will be to implement the proposed framework to develop security metrics in early stage of software development life cycle.
Published in | American Journal of Software Engineering and Applications (Volume 2, Issue 6) |
DOI | 10.11648/j.ajsea.20130206.14 |
Page(s) | 150-155 |
Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
Copyright |
Copyright © The Author(s), 2013. Published by Science Publishing Group |
Software Security, Software Security Metrics, Metric Development, Design Phase
[1] | O. S. Saydjari, Risk: A Good System Security Measure, Proceedings of the 30th Annual International Computer Software and Applications Conference (COMPSAC'06) 0-7695-2655-1/06 $20.00, IEEE, 2006. |
[2] | S. Naqvi and M. Riguidel, Quantifiable Security Metrics for Large Scale Heterogeneous Systems, 1-4244-0174-7/06/$20.00, IEEE, pp. 209-215, 2006. |
[3] | W. Qu, D. Zhang, Security Metrics Models and Application with SVM in Information Security Management 1-4244-0973-X/07/$25.00, IEEE pp. 3234-3238, 2007. |
[4] | A. Ozment, Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models, in: Quality of Protection: Security Measurements and Metrics, Dieter Gollman, Fabio Massacci and Yautsiukhin, Artsiom. |
[5] | J. M. Wing, Software Security, First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE'07), 0-7695-2856-2/07 $20.00, IEEE, 2007. |
[6] | Since Metricon 1.0, a second "mini-Metricon" was held in February 2007 at the University of San Francisco. See "Metricon 1.0" web page. securitymetrics.org [Last updated September 20, 2006, by Andrew Jaquith]. |
[7] | ‘Software Security Assurance", State-of-the-Art Report (SOAR) Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS July 31, 2007. |
[8] | G. Agarwal, IT Security Metrics, 08Feb, 2008.http://cobitexpert.com/index.php?itemid=3 |
[9] | A. J. A. Wang, Information Security Models and Metrics, 43rd ACM Southeast Conference, ACM, March 18-20 Kennesaw, GA, USA. pp. 178-184, 2005. |
[10] | J. Hallberg, A. Hunstad and M. Peterson, A Framework for System Security Assessment, Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, pp. 224-231, 2005 |
[11] | G. Jelen, SSE-CMM Security Metrics. NIST and CSSPAB Workshop, Washington, D.C., June 2000. |
[12] | J. I. Alger, On Assurance, Measures, and Metrics: Definitions and Approaches. Proc. of Workshop on Information Security System Scoring and Ranking (WISSSR), ACSA and MITRE, Williamsburg, Virginia, May, 2001, proceedings published 2002. |
[13] | Z. Abbadi, ST13: Security Metrics: What can you test? Web Reference, 21 January, 2008. |
[14] | O. S. Saydjari, Is Risk a Good Security Metric? QoP’06, Alexandria, Virginia, USA. ACM 1-59593-553-3/06/0010, pp. 59-60, , October 30, 2006. |
[15] | ACSA (2002), Proc Workshop on information Security System Scoring and Ranking, Applied Computer Security Associates, 2002. |
[16] | M. Greenwald, C. Gunter, E. Knutsson, A. Sccdrov, J. Smith & S. Zdancewic, Computer Security is not a Science, Large-Scale Network Security Workshop, Landsdome, VA, 2003. |
[17] | Seemet, Security metrics consortium, 2004. http://www.secmet.orp |
[18] | Department of Homeland Security, Security in the Software Lifecycle, Making Software Development Processes—and Software Produced by Them—More Secure, DRAFT Version 1.1 - July 2006. |
[19] | D. A. Chapin and S. Akridge, How Can Security Be Measured? Information Systems Control Journal, Volume 2 2005. |
[20] | C. Cowan, Relative Vulnerability: An Empirical Assurance Metric, Presented at the 44th International Federation for Information Processing Working Group 10.4 Workshop on Measuring Assurance in Cyberspace (Monterey, CA, 25-29 June 2003). |
[21] | F. Stevens, Validation of an Intrusion-Tolerant Information System Using Probabilistic Modeling, MS thesis, University of Illinois, Urbana-Champaign, IL, 2004. |
[22] | O.H. Alhazmi, Y. K. Malaiya, and I. Ray, Security Vulnerabilities in Software Systems: a Quantitative Perspective, Proceedings of the IFIP WG 11.3 Working Conference on Data and Applications Security, Storrs, CT, August 2005. |
[23] | Pravir Chandra, "Code Metrics", Presented at Metricon 1.0 (Vancouver, BC, Canada, 1 August 2006). |
[24] | R. R. Barton, W. J. Hery, and P. Liu, An S-vector for Web Application Security Management, working paper, Pennsylvania State University, University Park, PA, January 2004. |
[25] | S. Martin, Software Security Evaluation Based on a Top-Down Mc Call-Like Approach, IEEE 1988, pp. 414-418. |
[26] | D. B. Aredo, Metrics for Quantifying the Impacts of Monitoring on Security of Adaptive Distributed Systems, Master Thesis Proposal – II, December 2005. |
[27] | S. C. Payne, A Guide to Security Metrics, SANS Institute Information Security Reading Room, June 2006. |
[28] | R. Savola, Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry, International Conference on Software Engineering Advances(ICSEA 2007) 0-7695-2937-2/07,2007, IEEE. |
APA Style
A. Agrawal, R. A. Khan. (2013). Software Security Metric Development Framework (An Early Stage Approach). American Journal of Software Engineering and Applications, 2(6), 150-155. https://doi.org/10.11648/j.ajsea.20130206.14
ACS Style
A. Agrawal; R. A. Khan. Software Security Metric Development Framework (An Early Stage Approach). Am. J. Softw. Eng. Appl. 2013, 2(6), 150-155. doi: 10.11648/j.ajsea.20130206.14
AMA Style
A. Agrawal, R. A. Khan. Software Security Metric Development Framework (An Early Stage Approach). Am J Softw Eng Appl. 2013;2(6):150-155. doi: 10.11648/j.ajsea.20130206.14
@article{10.11648/j.ajsea.20130206.14, author = {A. Agrawal and R. A. Khan}, title = {Software Security Metric Development Framework (An Early Stage Approach)}, journal = {American Journal of Software Engineering and Applications}, volume = {2}, number = {6}, pages = {150-155}, doi = {10.11648/j.ajsea.20130206.14}, url = {https://doi.org/10.11648/j.ajsea.20130206.14}, eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajsea.20130206.14}, abstract = {This paper does an extensive survey on software security metrics and put forth an effort to characterize design time software security. Misconceptions associated to security metrics have been identified and discussed. A list of characteristics good security metrics should posses is listed. In absence of any standard guideline or methodology to develop early stage security metrics, an effort has been made to provide a strong theoretical basis to develop such a framework. As a result, a Security Metrics Development Framework has been proposed in this paper. Our next effort will be to implement the proposed framework to develop security metrics in early stage of software development life cycle.}, year = {2013} }
TY - JOUR T1 - Software Security Metric Development Framework (An Early Stage Approach) AU - A. Agrawal AU - R. A. Khan Y1 - 2013/12/20 PY - 2013 N1 - https://doi.org/10.11648/j.ajsea.20130206.14 DO - 10.11648/j.ajsea.20130206.14 T2 - American Journal of Software Engineering and Applications JF - American Journal of Software Engineering and Applications JO - American Journal of Software Engineering and Applications SP - 150 EP - 155 PB - Science Publishing Group SN - 2327-249X UR - https://doi.org/10.11648/j.ajsea.20130206.14 AB - This paper does an extensive survey on software security metrics and put forth an effort to characterize design time software security. Misconceptions associated to security metrics have been identified and discussed. A list of characteristics good security metrics should posses is listed. In absence of any standard guideline or methodology to develop early stage security metrics, an effort has been made to provide a strong theoretical basis to develop such a framework. As a result, a Security Metrics Development Framework has been proposed in this paper. Our next effort will be to implement the proposed framework to develop security metrics in early stage of software development life cycle. VL - 2 IS - 6 ER -