Advanced Search

Content Type

Topics

Publication Date

Risk-Based Measurement and Analysis: Application to Software Security

Abstract

For several years, the software engineering community has been working to identify practices aimed at developing more secure software. Although some foundational work has been performed, efforts to measure software security assurance have yet to materialize in any substantive fashion. As a result, decision makers (e.g., development program and project managers, acquisition program offices) lack confidence in the security characteristics of their software-reliant systems. The CERT® Program at Carnegie Mellon University’s Software Engineering Institute (SEI) has chartered the Software Security Measurement and Analysis (SSMA) Project to advance the state-of-the-practice in software security measurement and analysis. The SSMA Project is exploring how to use risk analysis to direct an organization’s software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex software-reliant systems across the life cycle and supply chain. To accomplish this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and refined the SEI Mission Risk Diagnostic (MRD). This report is an update to the technical note, Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025), published in September 2010. This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.

Related Links

Cite This Report

Show Citation Formats

SEI

Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Risk-Based Measurement and Analysis: Application to Software Security (CMU/SEI-2012-TN-004). Software Engineering Institute, Carnegie Mellon University, 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10067

IEEE

Alberts. Christopher, Allen. Julia, and Stoddard. Robert, "Risk-Based Measurement and Analysis: Application to Software Security," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2012-TN-004, 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10067

APA

Alberts, Christopher., Allen, Julia., & Stoddard, Robert. (2012). Risk-Based Measurement and Analysis: Application to Software Security (CMU/SEI-2012-TN-004). Retrieved July 28, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10067

CHI

Christopher Alberts, Julia Allen, & Robert Stoddard. Risk-Based Measurement and Analysis: Application to Software Security (CMU/SEI-2012-TN-004). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10067

MLA

Alberts, Christopher., Allen, Julia., & Stoddard, Robert. 2012. Risk-Based Measurement and Analysis: Application to Software Security (Technical Report CMU/SEI-2012-TN-004). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10067