ABSTRACT
Software security metrics are measurements to assess security related imperfections (or perfections) introduced during software development. A number of security metrics have been proposed. However, all the perspectives of a software system have not been provided specific attention. While most security metrics evaluate software from a system-level perspective, it can also be useful to analyze defects at a lower level, i.e., at the source code level. To address this issue, we propose some code-level security metrics which can be used to suggest the level of security of a code segment. We provide guidelines about where and how these metrics can be used to improve source code structures. We have also conducted two case studies to demonstrate the applicability of the proposed metrics.
- Adams, C. and Jourdan, G.V. 2005. Why Good Software Engineering Practices Often Do Not Produce Secure Software. Workshop on Cyber Infrastructure -- Emergence Preparedness Aspects (Ottawa, Ontario, Canada, Apr. 2005).Google Scholar
- Alhazmi, O.H., Malaiya, Y.K., and Ray, I. 2007. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security Journal 26, 3 (May 2007), 219--228.Google ScholarDigital Library
- Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., and Wright, D. 1993. Towards operational measures of computer security. Journal of Computer Security 2, 3 (1993), 211--230.Google ScholarDigital Library
- Alves-Foss, J. and Barbosa, S. 1995. Assessing computer security vulnerability. SIGOPS Oper. Syst. Rev. 29, 3 (Jul. 1995), 3--13. Google ScholarDigital Library
- McGraw, G. 2006. Software Security: Building Security In. Addison-Wesley. Google ScholarDigital Library
- Manadhata, P. K. and Wing, J. M. 2005. An Attack Surface Metric. Technical Report. School of Computer Science, Carnegie Mellon University (CMU). CMU-CS-05-155.Google Scholar
- Voas, J., Ghosh, A., McGraw, G., Charron, F., and Miller, K. 1996. Defining an Adaptive Software: Security Metric from a Dynamic Software Failure Tolerance Measure. In Proceedings of the Annual Conference on Computer Assurance (Gaithersburg, MD, USA, June 1996). 250--263.Google ScholarCross Ref
- Aggarwal, K.K., Singh, Y., Kaur, A., and Malhotra, R. 2006. Software Design Metrics for Object-Oriented Software. Journal of Object Technology 6, 1 (Jan. 2006), 121--138.Google Scholar
- Pfleeger, C. and Pfleeger, S. 2003. Security in Computing. Prentice-Hall Inc. Google ScholarDigital Library
- Chidamber, S. R. and Kemerer, C. F. 1994. A Metrics Suite for Object Oriented Design. IEEE Trans. Softw. Eng. 20, 6 (Jun. 1994), 476--493. Google ScholarDigital Library
- Khaer, M. A., Hashem, M. M. A., and Masud, M. R. 2007. An Empirical Analysis of Software Systems for Measurement of Design Quality Level Based on Design Patterns. In Proceedings of the 10th International Conference on Computer and Information Technology. (Dhaka, Bangladesh, Dec. 2007), In Press.Google Scholar
- Carnegie Mellon University's Computer Emergency Response Team (CERT) Advisories, http://www.cert.org/advisories.Google Scholar
- Microsoft Security Bulletins, http://www.microsoft.com/technet/security/current.aspGoogle Scholar
- MITRE Common Vulnerabilities and Exposures (CVE), http://www.cve.mitre.org.Google Scholar
- Howard, M. 2003. Fending Off Future Attacks by Reducing Attack Surface, Technical Report, http://msdn.microsoft.com/library/default.asp?url=/library/en--us/dncode/html/secure02132003.asp.Google Scholar
Index Terms
- Security metrics for source code structures
Recommendations
A Survey on Systems Security Metrics
Security metrics have received significant attention. However, they have not been systematically explored based on the understanding of attack-defense interactions, which are affected by various factors, including the degree of system vulnerabilities, ...
A comparison of software design security metrics
ECSA '10: Proceedings of the Fourth European Conference on Software Architecture: Companion VolumeA lack of security metrics signifies that it is not possible to measure the success of security policies, mechanisms and implementations, and security cannot, in turn, be improved if it cannot be measured. The importance of the use of metrics to obtain ...
Designing Sound Security Metrics
This article begins with an introduction to security metrics, describing the need for security metrics, followed by a discussion of the nature of security metrics, including the challenges found with some security metrics used in the past. The article ...
Comments