Security Measurement—Establishing Confidence That System and Software Security Is Sufficient
Abstract
Evaluating the software assurance of a product as it functions within a specific system context involves assembling carefully chosen metrics that demonstrate a range of behaviors to establish confidence that the product functions as intended and is free of vulnerabilities. The first challenge is to establish that the requirements define the appropriate security behavior and the design addresses these security concerns. The second challenge is to establish that the completed product, as built, fully satisfies the specifications. Measures to provide assurance must, therefore, address requirements, design, construction, and test. We know that software is never defect free. According to Jones and Bonsignour (2012), the average defect level in the United States is 0.75 defects per function point or 6,000 per million lines of code (MLOC) for a high-level language. Thus, software, on average, cannot always function perfectly as intended. Additionally, we cannot establish that software is completely free from vulnerabilities based on our research which indicates that 5% of defects should be categorized as vulnerabilities. So how can we establish reasonable confidence in software security? To answer this question, the Software Engineering Institute (SEI) is researching how measurement can be used to establish confidence in software security. This paper will share our progress to date.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.NPS Report Number
SYM-AM-17-063Collections
Related items
Showing items related by title, author, creator and subject.
-
Security Measurement—Establishing Confidence That System and Software Security Is Sufficient
Woody, Carol (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-119Evaluating the software assurance of a product as it functions within a specific system context involves assembling carefully chosen metrics that demonstrate a range of behaviors to establish confidence that the product ... -
An Empirical Model to Measure Dependability of a Software System
Luqi; Chaki, N. (Monterey, California. Naval Postgraduate School, 2002-09); NPS-SW-02-005Dependency on automation processes in science and engineering imparts the importance of user- confidence on software. This proposal has the objective to measure and provide a quantitative prediction of dependability for a ... -
Evolving a simulation model product line software architecture from heterogeneous model representations
Greaney, Kevin J. (Monterey, California. Naval Postgraduate School, 2003-09);National- and Department-level decision-makers expect credible Department of Defense models and simulations (M and S) to provide them confidence in the simulation results, especially for mission-critical and high-risk ...