Security Metrics - A perspective with respect to the research

Software Metrics are a very useful way of measuring software artifacts. Software security metrics especially enable software engineers to have a good understanding of the potential threats and the mitigation strategies that they can use to counter the threats. The ISO 15408 standard specifies a set of security requirements that a software should have with resepect to security. While the tool that we propose might not incorporate this feature, as this is with respect to the requirements phase, a paper that we read, and related papers [REF 1-10] gave us inputs on what metrics we could measure on code with respect to security. The tool that we propose parses the codebase and points out potential areas of vulnerability. 

This could be extended to point out the number of security errors, which in turn could be integrated with any bug tracking system that the team might use and gather the number of bugs. The ratio of the number of security issues to the number of issues in total is a good indicator of how secure the software is as per the references. This could be a potential requirement out of the tool, which can point out this metric to give a lead-in to the developers on concentrating their fortifications efforts.

Opinions, Readers?

References to this Idea: (Might be of use to what you're doing)

[1] D. P. Gilliam, T. L.Wolfe, J. S. Sherif, Software Security Checklist for the Software Life Cycle, In Proc. of the 12th International Workshops on Enabling Technologies, 2003, 243-248.

[2] J. A. Chaula, L. Yngström, and S. Kowalski; Security Metrics and Evaluation of Information Systems Security, In Proceedings of the 4th Annual Conference on Information Security for South Africa, 2004.

[3] R. Scandariato, B. D. Win, and W. Joosen, Towards a Measuring Framework for Security Properties of Software, In Proc. of the 2nd workshop on Quality of Protection, 2006, 27-30.

[4] A. Sachitano, R. O. Chapman, and J. A. Hamilton, “Security in software architecture: a case study,” in Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004, pp. 370–376.

[5] M. Swanson, N. Bartol, J. Sabato, J. Hash, and L. Graffo, Security Metrics Guide for Information Technology Systems, NIST Special Publication 800- 55, National Institute of Standards and Technology, 2003.

[6] Sultan, K.; En-Nouaary, A.; Hamou-Lhadj, A.; , "Catalog of Metrics for Assessing Security Risks of Software throughout the Software Development Life Cycle," Information Security and Assurance, 2008. ISA 2008. International Conference on , vol., no., pp.461-465, 24-26 April 2008
doi: 10.1109/ISA.2008.104
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4511611&isnumber=4511515

[7] V. R. Basili, G. Caldiera and H. D. Rombach, Goal Question Metric Paradigm, In J. J. Marciniak (ed.), Encyclopedia of Software Engineering 1, New York: John Wiley & Sons, 1994, 528-532.

[8] ISO/IEC15408 Standards: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=40612

[9] R. Scandariato, B. D. Win, and W. Joosen, Towards a Measuring Framework for Security Properties of Software, In Proc. of the 2nd workshop on Quality of Protection, 2006, 27-30.

[10] Meneely, A.,Williams, L.,Proceedings CCS '09 Proceedings of the 16th ACM conference on Computer and communications security ACM New York, NY, USA ©2009  ISBN: 978-1-60558-894-0 doi>10.1145/1653662.1653717