search menu icon-carat-right cmu-wordmark

Cybersecurity Engineering Research: Software Assurance Measurement and Analysis Collection

This research is a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems.

Decision makers (such as development and acquisition program and project managers) lack confidence in the security of their software-reliant systems unless they have established methods to measure this security. We address this need through the Software Security Measurement and Analysis (SSMA) project.

The goal of this research is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems across the lifecycle and supply chain. To help achieve this goal, we have developed the following:

IMAF

The SEI Integrated Measurement and Analysis Framework (IMAF) integrates performance data for individual components, including targeted analysis, status reporting, and measurement activities, to provide a consolidated view of the performance of software-reliant systems. The IMAF can also highlight where additional data need to be collected. The framework can be appliedĀ in a variety of contexts, including software security, operational security, acquisition program management, and software development.

MRD

The Mission Risk Diagnostic (MRD) is a versatile method for assessing risk in interactively complex software-reliant systems that can be applied across the lifecycle (acquisition, development, operations) and supply chain. It analyzes a set of systemic risk factors to aggregate decision-making data and provides decision makers with a benchmark of a system's current state. The resulting gap between a system's current and desired states points to specific areas where additional investment is warranted. The MRD method can be used to assess risk in a variety of domains, including software security, supply chain assurance, cyber security processes, software acquisition and development programs, and business portfolio management.

See the publications below for more information about measuring and analyzing data about the security of systems:

Risk-Based Measurement and Analysis: Application to Software Security

February 2012

In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.

Mission Risk Diagnostic (MRD) Method Description

February 2012

In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.

Measuring Software Security Assurance Overview

September 2011

In this section of the research report, the authors examine how to measure and monitor the security posture of large, networked, software-reliant systems.

Security Measurement and Analysis

January 2011

In this presentation, the authors describe work being performed by the SEI in the area of security measurement and analysis.

Integrated Measurement and Analysis Framework for Software Security

September 2010

In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).

Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success

March 2008

This 2008 document describes the core set of activities and outputs that defines mission diagnostic protocol (MDP).