Cybersecurity Engineering Research: Cybersecurity Quality Metrics Collection
This research evaluates the feasibility of using 1) using software quality models to improve software security and 2) available data to calibrate a specialized quality model to track and forecast security defects.
Publisher:
Software Engineering Institute
Abstract
Security is difficult to measure and even harder to predict. Quality is one area where predictive capability has been successfully applied. Although high quality code is not necessarily secure, poor quality code cannot be secure; therefore, some minimum level of quality software may be considered necessary to achieve secure code. There is general agreement that good quality is an essential condition for software with security requirements; however, the level of necessary quality is an open question. A connection between quality flaws and security flaws has been observed. Research indicates that 1-5% of defects will end up as vulnerabilities.
Advanced software quality management models now exist that are capable of economically producing software that is an order of magnitude higher quality than current critical systems. These projects indicate early efforts to address safety and security with good operational results.
Our research is determining how software quality models can be specialized for security to increase confidence that software can be sufficiently secure and function as intended. We postulate that quality results below a "to be determined" quality threshold provide sufficient evidence that improves confidence for security and results above that threshold provide evidence that operational security would be uncertain.
Collection Contents
-
Software Assurance Engineering—Integrating Assurance into System and Software Engineering
November 1, 2014 • Video
By Carol Woody, PhD
In this video, Carol Woody discusses software assurance, which is implementing software with confidence that it functions as intended and is free of vulnerabilities.
watch -
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
March 31, 2014 • Special Report
By The WEA Project Team
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.
read -
Software Assurance Measurement – State of the Practice
November 29, 2013 • Technical Note
By Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.
read -
Principles and Measurement Models for Software Assurance
January 1, 2013 • Book Chapter
By Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody
In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.
read -
Risk-Based Measurement and Analysis: Application to Software Security
February 1, 2012 • Technical Note
By Christopher J. Alberts, Julia H. Allen, Robert W. Stoddard
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
read -
Mission Risk Diagnostic (MRD) Method Description
February 1, 2012 • Technical Note
By Christopher J. Alberts, Audrey J. Dorofee
In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.
read -
Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
July 1, 2008 • Technical Note
By Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino
In this 2008 document, the authors preview a core set of activities and outputs that define a MAAP assessment.
read -
Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements
March 1, 2005 • Technical Note
By Carol Woody
In this 2005 report, Carol Woody documents how environments for system development can support or reject improved quality requirements elicitation mechanisms.
read