American Journal of Software Engineering and Applications
Volume 2, Issue 6, December 2013, Pages: 150-155
Received: Nov. 30, 2013;
Published: Dec. 20, 2013
Views 3228 Downloads 173
A. Agrawal, Department of Computer Science, Khwaja Moinuddin Chishti Urdu, Arabi-Farsi University, Lucknow, India
R. A. Khan, Department of IT, Babasaheb Bhimrao Ambedkar University, Lucknow, India
This paper does an extensive survey on software security metrics and put forth an effort to characterize design time software security. Misconceptions associated to security metrics have been identified and discussed. A list of characteristics good security metrics should posses is listed. In absence of any standard guideline or methodology to develop early stage security metrics, an effort has been made to provide a strong theoretical basis to develop such a framework. As a result, a Security Metrics Development Framework has been proposed in this paper. Our next effort will be to implement the proposed framework to develop security metrics in early stage of software development life cycle.
R. A. Khan,
Software Security Metric Development Framework (An Early Stage Approach), American Journal of Software Engineering and Applications.
Vol. 2, No. 6,
2013, pp. 150-155.
O. S. Saydjari, Risk: A Good System Security Measure, Proceedings of the 30th Annual International Computer Software and Applications Conference (COMPSAC'06) 0-7695-2655-1/06 $20.00, IEEE, 2006.
S. Naqvi and M. Riguidel, Quantifiable Security Metrics for Large Scale Heterogeneous Systems, 1-4244-0174-7/06/$20.00, IEEE, pp. 209-215, 2006.
W. Qu, D. Zhang, Security Metrics Models and Application with SVM in Information Security Management 1-4244-0973-X/07/$25.00, IEEE pp. 3234-3238, 2007.
A. Ozment, Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models, in: Quality of Protection: Security Measurements and Metrics, Dieter Gollman, Fabio Massacci and Yautsiukhin, Artsiom.
J. M. Wing, Software Security, First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE'07), 0-7695-2856-2/07 $20.00, IEEE, 2007.
Since Metricon 1.0, a second "mini-Metricon" was held in February 2007 at the University of San Francisco. See "Metricon 1.0" web page. securitymetrics.org [Last updated September 20, 2006, by Andrew Jaquith].
‘Software Security Assurance", State-of-the-Art Report (SOAR) Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS July 31, 2007.
G. Agarwal, IT Security Metrics, 08Feb, 2008.http://cobitexpert.com/index.php?itemid=3
A. J. A. Wang, Information Security Models and Metrics, 43rd ACM Southeast Conference, ACM, March 18-20 Kennesaw, GA, USA. pp. 178-184, 2005.
J. Hallberg, A. Hunstad and M. Peterson, A Framework for System Security Assessment, Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, pp. 224-231, 2005
G. Jelen, SSE-CMM Security Metrics. NIST and CSSPAB Workshop, Washington, D.C., June 2000.
J. I. Alger, On Assurance, Measures, and Metrics: Definitions and Approaches. Proc. of Workshop on Information Security System Scoring and Ranking (WISSSR), ACSA and MITRE, Williamsburg, Virginia, May, 2001, proceedings published 2002.
Z. Abbadi, ST13: Security Metrics: What can you test? Web Reference, 21 January, 2008.
O. S. Saydjari, Is Risk a Good Security Metric? QoP’06, Alexandria, Virginia, USA. ACM 1-59593-553-3/06/0010, pp. 59-60, , October 30, 2006.
ACSA (2002), Proc Workshop on information Security System Scoring and Ranking, Applied Computer Security Associates, 2002.
M. Greenwald, C. Gunter, E. Knutsson, A. Sccdrov, J. Smith & S. Zdancewic, Computer Security is not a Science, Large-Scale Network Security Workshop, Landsdome, VA, 2003.
Seemet, Security metrics consortium, 2004. http://www.secmet.orp
Department of Homeland Security, Security in the Software Lifecycle, Making Software Development Processes—and Software Produced by Them—More Secure, DRAFT Version 1.1 - July 2006.
D. A. Chapin and S. Akridge, How Can Security Be Measured? Information Systems Control Journal, Volume 2 2005.
C. Cowan, Relative Vulnerability: An Empirical Assurance Metric, Presented at the 44th International Federation for Information Processing Working Group 10.4 Workshop on Measuring Assurance in Cyberspace (Monterey, CA, 25-29 June 2003).
F. Stevens, Validation of an Intrusion-Tolerant Information System Using Probabilistic Modeling, MS thesis, University of Illinois, Urbana-Champaign, IL, 2004.
O.H. Alhazmi, Y. K. Malaiya, and I. Ray, Security Vulnerabilities in Software Systems: a Quantitative Perspective, Proceedings of the IFIP WG 11.3 Working Conference on Data and Applications Security, Storrs, CT, August 2005.
Pravir Chandra, "Code Metrics", Presented at Metricon 1.0 (Vancouver, BC, Canada, 1 August 2006).
R. R. Barton, W. J. Hery, and P. Liu, An S-vector for Web Application Security Management, working paper, Pennsylvania State University, University Park, PA, January 2004.
S. Martin, Software Security Evaluation Based on a Top-Down Mc Call-Like Approach, IEEE 1988, pp. 414-418.
D. B. Aredo, Metrics for Quantifying the Impacts of Monitoring on Security of Adaptive Distributed Systems, Master Thesis Proposal – II, December 2005.
S. C. Payne, A Guide to Security Metrics, SANS Institute Information Security Reading Room, June 2006.
R. Savola, Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry, International Conference on Software Engineering Advances(ICSEA 2007) 0-7695-2937-2/07,2007, IEEE.