Cybersecurity Engineering Research: Cybersecurity Quality Metrics Collection
This research evaluates the feasibility of using 1) using software quality models to improve software security and 2) available data to calibrate a specialized quality model to track and forecast security defects.
Software Engineering Institute
Security is difficult to measure and even harder to predict. Quality is one area where predictive capability has been successfully applied. Although high quality code is not necessarily secure, poor quality code cannot be secure; therefore, some minimum level of quality software may be considered necessary to achieve secure code. There is general agreement that good quality is an essential condition for software with security requirements; however, the level of necessary quality is an open question. A connection between quality flaws and security flaws has been observed. Research indicates that 1-5% of defects will end up as vulnerabilities.
Advanced software quality management models now exist that are capable of economically producing software that is an order of magnitude higher quality than current critical systems. These projects indicate early efforts to address safety and security with good operational results.
Our research is determining how software quality models can be specialized for security to increase confidence that software can be sufficiently secure and function as intended. We postulate that quality results below a "to be determined" quality threshold provide sufficient evidence that improves confidence for security and results above that threshold provide evidence that operational security would be uncertain.
November 1, 2014 • Video
In this video, Carol Woody discusses software assurance, which is implementing software with confidence that it functions as intended and is free of vulnerabilities.watch
March 31, 2014 • Special Report
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.read
November 29, 2013 • Technical Note
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.read
January 1, 2013 • Book Chapter
In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.read
February 1, 2012 • Technical Note
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.read
Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
July 1, 2008 • Technical Note
In this 2008 document, the authors preview a core set of activities and outputs that define a MAAP assessment.read
Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements
March 1, 2005 • Technical Note
By Carol Woody
In this 2005 report, Carol Woody documents how environments for system development can support or reject improved quality requirements elicitation mechanisms.read