skip to main content
10.1145/1566445.1566509acmotherconferencesArticle/Chapter ViewAbstractPublication Pagesacm-seConference Proceedingsconference-collections
research-article

Security metrics for software systems

Published: 19 March 2009 Publication History

Abstract

Security metrics for software products provide quantitative measurement for the degree of trustworthiness for software systems. This paper proposes a new approach to define software security metrics based on vulnerabilities included in the software systems and their impacts on software quality. We use the Common Vulnerabilities and Exposures (CVE), an industry standard for vulnerability and exposure names, and the Common Vulnerability Scoring System (CVSS), a vulnerability scoring system designed to provide an open and standardized method for rating software vulnerabilities, in our metric definition and calculation. Examples are provided in the paper, which show that our definition of security metrics is consistent with the common practice and real-world experience about software quality in trustworthiness.

References

[1]
Peter Mell, Karen Scarfone, and Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System (CVSS), Version 2.0, Forum of Incident Response and Security Teams, http://www.first.org/cvss/cvss-guide.html (July 2007).
[2]
J. A. Wang, M. Xia, and F. Zhang, "Metrics for Information Security Vulnerabilities, Journal of Applied Global Research, Volume 1, No. 1, 2008, pp. 48--58.
[3]
J. A. Wang, Fengwei Zhang and Min Xia, "Temporal Metrics for Software Vulnerabilities," in Proceedings of CSIIRW'08, May 12--14, 2008, Oak Ridge, TN, USA.
[4]
J. A. Wang, "Information Security Models and Metrics", in Proceedings of 43rd ACM Southeast Conference, Volume 2, pp. 178--184. ISBN: 1-59593-059-0. March 2005, Kennesaw, GA.
[5]
Elizabeth Chew et. al., Guide for Developing Performance Metrics for Information Security, NIST Special Publication 800--80, May 2006.
[6]
National Institute of Standards and Technology, National Vulnerability Database, Common Vulnerability Scoring System Calculator, http://nvd.nist.gov/cvss.cfm?calculator (Accessed on October 20, 2008).
[7]
National Institute of Standards and Technology, National Vulnerability Database, Search CVE and CCE Vulnerability Database, http://web.nvd.nist.gov/view/vuln/search?execution=e2s1 (Accessed on October 20, 2008).
[8]
The MITRE Corporation, Common Weakness Enumeration, CWE Comprehensive Dictionary(1.0.1), http://cwe.mitre.org/data/slices/2000.html (Accessed on October 20, 2008).
[9]
The MITRE Corporation, Common Vulnerability and Exposures, CVE List, http://cve.mitre.org/cve/cve.html (Accessed on October 20, 2008).
[10]
The MITRE Corporation, Common Attack Pattern Enumeration and Classification, CAPEC Dictionary (Release 1.1), http://capec.mitre.org/data/dictionary.html (Accessed on October 20, 2008).
[11]
Michael Gegick1, Laurie Williams, Mladen Vouk, "Predictive Models for Identifying Software Components Prone to Failure During Security Attacks", Department of Computer Science, North Carolina State University, October 28th, 2008, https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/measurement/1075-BSI.pdf (Accessed by November, 2008)
[12]
Chris Wysopal, Software Security Weakness Scoring, Metricon 2.0, August 7, 2007. www.securitymetrics.org/content/attach/Metricon2.0/Wysopal-metricon2.0-software-weakness-scoring.ppt (Accessed on October, 2008).
[13]
Mell P. and Quinn S, "Automating Compliance Checking, Vulnerability Management, and Security Measurement," 2007 Information Assurance Workshop (IAWS) Presentation, 2007.
[14]
NIST, Information Security Automation Program, Automating Vulnerability Management, Security Measurement, and Compliance, Version 1.0 Beta, revised on May 22, 2007.
[15]
The MITRE Corporation, Common Weakness Enumeration, http://cwe.mitre.org/ (Accessed on October 20, 2008).
[16]
J. A. Wang, "Information Security Models and Metrics", in Proceedings of 43rd ACM Southeast Conference, Volume 2, pp. 178--184. ISBN: 1-59593-059-0. March 2005, Kennesaw, GA

Cited By

View all
  • (2024)A Software Security Evaluation FrameworkProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639796(150-152)Online publication date: 14-Apr-2024
  • (2024)You cannot improve what you do not measure: A triangulation study of software security metricsProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635892(1223-1232)Online publication date: 8-Apr-2024
  • (2024)Evaluating Security Through Isolation and Defense in DepthIEEE Security and Privacy10.1109/MSEC.2023.333602822:1(69-72)Online publication date: 23-Jan-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACMSE '09: Proceedings of the 47th annual ACM Southeast Conference
March 2009
430 pages
ISBN:9781605584218
DOI:10.1145/1566445
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 March 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. security metrics
  2. software quality
  3. software security
  4. software vulnerabilities

Qualifiers

  • Research-article

Conference

ACM SE 09
ACM SE 09: ACM Southeast Regional Conference
March 19 - 21, 2009
South Carolina, Clemson

Acceptance Rates

Overall Acceptance Rate 502 of 1,023 submissions, 49%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)62
  • Downloads (Last 6 weeks)6
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Software Security Evaluation FrameworkProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639796(150-152)Online publication date: 14-Apr-2024
  • (2024)You cannot improve what you do not measure: A triangulation study of software security metricsProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635892(1223-1232)Online publication date: 8-Apr-2024
  • (2024)Evaluating Security Through Isolation and Defense in DepthIEEE Security and Privacy10.1109/MSEC.2023.333602822:1(69-72)Online publication date: 23-Jan-2024
  • (2022)Yazılım Güvenlik Açıklarının Evrişimsel Sinir Ağları (CNN) ile SınıflandırılmasıClassification of Software Vulnerabilities with Deep Neural NetworksFırat Üniversitesi Mühendislik Bilimleri Dergisi10.35234/fumbd.107687034:2(517-529)Online publication date: 30-Sep-2022
  • (2022)The Generation of Software Security Scoring Systems Leveraging Human Expert Opinion2022 IEEE 29th Annual Software Technology Conference (STC)10.1109/STC55697.2022.00023(116-124)Online publication date: Oct-2022
  • (2022)An Autonomous Vehicle Group Formation Method based on Risk Assessment Scoring2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy55231.2022.9927817(1-6)Online publication date: 12-Sep-2022
  • (2022)A Hybrid Approach for Evaluation and Prioritization of Software VulnerabilitiesPredictive Analytics in System Reliability10.1007/978-3-031-05347-4_3(39-51)Online publication date: 9-Sep-2022
  • (2021)Resilient Control Systems—Basis, Benchmarking and BenefitIEEE Access10.1109/ACCESS.2021.30718749(57565-57577)Online publication date: 2021
  • (2021)Applicability of the Software Security Code Metrics for Ethereum Smart ContractThe International Conference on Deep Learning, Big Data and Blockchain (Deep-BDB 2021)10.1007/978-3-030-84337-3_9(106-119)Online publication date: 8-Aug-2021
  • (2021)Availability and security analysis of business‐critical systems: A case study of e‐commerce business processQuality and Reliability Engineering International10.1002/qre.305238:4(2218-2232)Online publication date: 29-Dec-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media