Security metrics for software systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Security metrics for software systems

Full text

Pdf (127 KB)

Source

ACM Southeast Regional Conference archive
Proceedings of the 47th Annual Southeast Regional Conference table of contents

Clemson, South Carolina

SESSION: Information analysis table of contents

Article No. 47

Year of Publication: 2009

ISBN:978-1-60558-421-8

Authors

Ju An Wang	Southern Polytechnic State University, Marietta, GA
Hao Wang	Southern Polytechnic State University, Marietta, GA
Minzhe Guo	Southern Polytechnic State University, Marietta, GA
Min Xia	Southern Polytechnic State University, Marietta, GA

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 60, Downloads (12 Months): 136, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1566445.1566509 What is a DOI?

ABSTRACT

Security metrics for software products provide quantitative measurement for the degree of trustworthiness for software systems. This paper proposes a new approach to define software security metrics based on vulnerabilities included in the software systems and their impacts on software quality. We use the Common Vulnerabilities and Exposures (CVE), an industry standard for vulnerability and exposure names, and the Common Vulnerability Scoring System (CVSS), a vulnerability scoring system designed to provide an open and standardized method for rating software vulnerabilities, in our metric definition and calculation. Examples are provided in the paper, which show that our definition of security metrics is consistent with the common practice and real-world experience about software quality in trustworthiness.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Peter Mell, Karen Scarfone, and Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System (CVSS), Version 2.0, Forum of Incident Response and Security Teams, http://www.first.org/cvss/cvss-guide.html (July 2007).
	2	J. A. Wang, M. Xia, and F. Zhang, "Metrics for Information Security Vulnerabilities, Journal of Applied Global Research, Volume 1, No. 1, 2008, pp. 48--58.
	3	Ju An Wang , Fengwei Zhang , Min Xia, Temporal metrics for software vulnerabilities, Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee [doi>10.1145/1413140.1413191]
	4	Andy Ju An Wang, Information security models and metrics, Proceedings of the 43rd annual Southeast regional conference, March 18-20, 2005, Kennesaw, Georgia [doi>10.1145/1167253.1167295]
	5	Elizabeth Chew et. al., Guide for Developing Performance Metrics for Information Security, NIST Special Publication 800--80, May 2006.
	6	National Institute of Standards and Technology, National Vulnerability Database, Common Vulnerability Scoring System Calculator, http://nvd.nist.gov/cvss.cfm?calculator (Accessed on October 20, 2008).
	7	National Institute of Standards and Technology, National Vulnerability Database, Search CVE and CCE Vulnerability Database, http://web.nvd.nist.gov/view/vuln/search?execution=e2s1 (Accessed on October 20, 2008).
	8	The MITRE Corporation, Common Weakness Enumeration, CWE Comprehensive Dictionary(1.0.1), http://cwe.mitre.org/data/slices/2000.html (Accessed on October 20, 2008).
	9	The MITRE Corporation, Common Vulnerability and Exposures, CVE List, http://cve.mitre.org/cve/cve.html (Accessed on October 20, 2008).
	10	The MITRE Corporation, Common Attack Pattern Enumeration and Classification, CAPEC Dictionary (Release 1.1), http://capec.mitre.org/data/dictionary.html (Accessed on October 20, 2008).
	11	Michael Gegick1, Laurie Williams, Mladen Vouk, "Predictive Models for Identifying Software Components Prone to Failure During Security Attacks", Department of Computer Science, North Carolina State University, October 28th, 2008, https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/measurement/1075-BSI.pdf (Accessed by November, 2008)
	12	Chris Wysopal, Software Security Weakness Scoring, Metricon 2.0, August 7, 2007. www.securitymetrics.org/content/attach/Metricon2.0/Wysopal-metricon2.0-software-weakness-scoring.ppt (Accessed on October, 2008).
	13	Mell P. and Quinn S, "Automating Compliance Checking, Vulnerability Management, and Security Measurement," 2007 Information Assurance Workshop (IAWS) Presentation, 2007.
	14	NIST, Information Security Automation Program, Automating Vulnerability Management, Security Measurement, and Compliance, Version 1.0 Beta, revised on May 22, 2007.
	15	The MITRE Corporation, Common Weakness Enumeration, http://cwe.mitre.org/ (Accessed on October 20, 2008).
	16	Andy Ju An Wang, Information security models and metrics, Proceedings of the 43rd annual Southeast regional conference, March 18-20, 2005, Kennesaw, Georgia [doi>10.1145/1167253.1167295]