Advanced Search

Content Type

Topics

Publication Date

Integrated Measurement and Analysis Framework for Software Security

  • Author(s): , ,
  • Publish Date:
  • Publisher: Software Engineering Institute
  • SEI Identifier: CMU/SEI-2010-TN-025
  • Type: Technical Note
  • Description: In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).

Abstract

In today’s business and operational environments, multiple organizations routinely work collaboratively to acquire, develop, deploy, and maintain technical capabilities via a set of interdependent, networked systems. Measurement in these distributed management environments can be an extremely challenging problem. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute (SEI), is developing the Integrated Measurement and Analysis Framework (IMAF) to enable effective measurement in distributed environments, including acquisition programs, supply chains, and systems of systems. The IMAF defines an approach that integrates subjective and objective data from multiple sources (targeted analysis, reports, and tactical measurement) and provides decision makers with a consolidated view of current conditions. This report is the first in a series that addresses how to measure software security in complex environments. It poses several research questions and hypotheses and presents a foundational set of measurement concepts. It also describes how meaningful measures provide the information that decision makers need when they need it and in the right form. Finally, this report provides a conceptual overview of the IMAF, describes methods for qualitatively and quantitatively collecting data to inform the framework, and suggests how to use the IMAF to derive meaningful measures for analyzing software security performance.

Related Links

Deriving Software Security Measures from Information Security Standards of Practice

Risk-Based Measurement and Analysis: Application to Software Security

Cite This Report

Show Citation Formats

SEI

Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025). Software Engineering Institute, Carnegie Mellon University, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9369

IEEE

Alberts. Christopher, Allen. Julia, and Stoddard. Robert, "Integrated Measurement and Analysis Framework for Software Security," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2010-TN-025, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9369

APA

Alberts, Christopher., Allen, Julia., & Stoddard, Robert. (2010). Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025). Retrieved September 18, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9369

CHI

Christopher Alberts, Julia Allen, & Robert Stoddard. Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9369

MLA

Alberts, Christopher., Allen, Julia., & Stoddard, Robert. 2010. Integrated Measurement and Analysis Framework for Software Security (Technical Report CMU/SEI-2010-TN-025). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9369