research-article

Measuring Software Security from the Design of Software

Authors:

Shohreh Hosseinzadeh,

Sami Hyrynsalmi,

Ville LeppänenAuthors Info & Claims

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies

Pages 179 - 186

https://doi.org/10.1145/3134302.3134334

Published: 23 June 2017 Publication History

Abstract

With the increasing use of mobile phones in contemporary society, more and more networked computers are connected to each other. This has brought along security issues. To solve these issues, both research and development communities are trying to build more secure software. However, there is the question that how the secure software is defined and how the security could be measured. In this paper, we study this problem by studying what kinds of security measurement tools (i.e. metrics) are available, and what these tools and metrics reveal about the security of software. As the result of the study, we noticed that security verification activities fall into two main categories, evaluation and assurance. There exist 34 metrics for measuring the security, from which 29 are assurance metrics and 5 are evaluation metrics. Evaluating and studying these metrics, lead us to the conclusion that the general quality of the security metrics are not in a satisfying level that could be suitably used in daily engineering work flows. They have both theoretical and practical issues that require further research, and need to be improved.

References

[1]

MITRE Corporation, "Common Weakness Enumeration (CWE)". https://cwe.mitre.org/about/index.html. Accessed: 2017-03-29.

[2]

Commission of the European Communities Directorate XIIl/F SOG-IS, "Information Technology Security Evaluation Criteria (ITSEC)", 1991.

[3]

ISO/IEC, "Information security management - Measurement (ISO/IEC 27004:2009)", 2009.

[4]

Common Criteria Recognition Arrangement, "Common Criteria for Information Technology Security Evaluation, versio 3.1 release 4", 2012.

[5]

ISO/IEC, "Systems Security Engineering - Capability Maturity Model (ISO/IEC 21827:2008)", 2014. Accessed: 2017-03-29.

[6]

FIRSTOrg Inc., "Common Vulnerability Scoring System, version 3.0", 2015.

[7]

Almorsy, M., Grundy, J., and Ibrahim, A. S. Automated software architecture security risk analysis using formalized signatures. In Proc. of 2013 International Conference on Software Engineering (2013), ICSE '13, IEEE Press, pp. 662--671.

Digital Library

[8]

Alshammari, B., Fidge, C., and Corney, D. Security metrics for object-oriented class designs. In Proc. 9th Int'l Conf. on Quality Software (2009), pp. 11--20.

Digital Library

[9]

Alshammari, B., Fidge, C., and Corney, D. Security metrics for object-oriented designs. In Proc. 21st Australian Software Engineering Conf. (2010), pp. 55--64.

Digital Library

[10]

Alshammari, B., Fidge, C., and Corney, D. A hierarchical security assessment model for object-oriented programs. In Proc. 11th Int'l Conf. on Quality Software (2011), pp. 218--227.

Digital Library

[11]

Alshammari, B. M. Quality metrics for assessing security-critical computer programs. PhD thesis, Queensland University of Technology, 2011.

[12]

Anderson, R. Security engineering. Second edition, Wiley, 2008.

Digital Library

[13]

Berger, B. J., Sohr, K., and Koschke, R. Extracting and analyzing the implemented security architecture of business applications. In 2013 17th European Conference on Software Maintenance and Reengineering (March 2013), pp. 285--294.

Digital Library

[14]

Carvalho, P. V. Mapping the software errors and effects analysis method to iso26262 requirements for software architecture analysis. In IEEE Int'l Symp. on Software Reliability Engineering Workshops (2014), pp. 136--137.

Digital Library

[15]

Chandra, S., Khan, R. A., and Agrawal, A. Security estimation framework: Design phase perspective. In 2009 Sixth International Conference on Information Technology: New Generations (April 2009), pp. 254--259.

Digital Library

[16]

Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., and Robinson, W. Performance Measurement Guide for Information Security (NIST 800-55), 2008.

Digital Library

[17]

Chowdhury, I., Chan, B., and Zulkernine, M. Security metrics for source code structures. In Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems (New York, NY, USA, 2008), SESS '08, ACM, pp. 57--64.

Digital Library

[18]

Deng, Y., Wang, J., and Tsai, J. J. P. Formal analysis of software security system architectures. In Proc. 5th Int'l Symp. on Autonomous Decentralized Systems (2001), pp. 426--434.

Digital Library

[19]

Du, C., Li, X., Shi, H., Hu, J., Feng, R., and Feng, Z. Architecture security evaluation method based on security of the components. In 2013 20th Asia-Pacific Software Engineering Conference (APSEC) (Dec 2013), vol. 1, pp. 523--528.

Digital Library

[20]

Ferraiolo, K. National Information Systems Security Conference. http://csrc.nist.gov/nissc/2000/proceedings/papers/916slide.pdf. Accessed 2017-03-29.

[21]

Fragola, J., and Spahn, J. The software error effects analysis; a qualitative design tool. In Proc. IEEE Symp. on Computer Software Reliability (1973), pp. 90--93.

[22]

Gegick, M. C. Predicting attack-prone components with source code static analyzers. PhD thesis, North Carolina State University, 2009.

Digital Library

[23]

Halkidis, S. T., Tsantalis, N., Chatzigeorgiou, A., and Stephanides, G. Architectural risk analysis of software systems based on security patterns. IEEE Transactions on Dependable and Secure Computing 5, 3 (July 2008), 129--142.

Digital Library

[24]

Heyman, T. A formal analysis technique for secure software architectures. PhD thesis, KU Leuven, 2013.

[25]

Heyman, T., Scandariato, R., Huygens, C., and Joosen, W. Using security patterns to combine security metrics. In 2008 Third International Conference on Availability Reliability and Security (March 2008), pp. 1156--1163.

Digital Library

[26]

Jajodia, S., Ghosh, A. K., Swarup, V., Wang, C., and Wang, X. S. Moving target defense: creating asymmetric uncertainty for cyber threats, vol. 54. Springer Science & Business Media, 2011.

Digital Library

[27]

Jansen, W. US National Institute of Standards and Technology, "Directions in Security Metrics Research (NIST IR 7564)". Diane Publishing, 2009.

[28]

Jaquith, A. Security metrics. Upper Saddle River: Pearson Education Inc., 2007.

[29]

Khan, S. A., and Khan, R. A. Security assessment framework: a complexity perspective. Computer Fraud & Security 2014, 7 (2014), 13--17.

[30]

Lai, S. T. An analyzer-based software security measurement model for enhancing software system security. In 2010 Second World Congress on Software Engineering (Dec 2010), vol. 2, pp. 93--96.

Digital Library

[31]

Latham, D. C. US department of defense, "Trusted computer system evaluation criteria". DoD 5200.28-STD (1986).

[32]

LeMay, E., Kent, K. A., and Mell, P. The Common Misuse Scoring System (CMSS): Metrics for software feature misuse vulnerabilities. NIST, 2012.

[33]

Liu, Y., Traore, I., and Hoole, A. M. A service-oriented framework for quantitative security analysis of software architectures. In 2008 IEEE Asia-Pacific Services Computing Conference (Dec 2008), pp. 1231--1238.

Digital Library

[34]

Lundholm, K., Hallberg, J., and Granlund, H. Design and use of information security metrics. FOI, Swedish Def. Res. Agency p. ISSN (2011), 1650--1942.

[35]

Manadhata, P. K. An Attack Surface Metric. PhD thesis, SEI, 2008.

Digital Library

[36]

Manadhata, P. K., Tan, K. M., Maxion, R. A., and Wing, J. M. An approach to measuring a system's attack surface. Tech. rep., Carnegie Mellon University, 2007.

[37]

McGraw, G. Building security in - software security. IEEE Security & Privacy 2, 2 (Mar 2004), 80--83.

Digital Library

[38]

Mellado, D., Fernández-Medina, E., and Piattini, M. A comparison of software design security metrics. In Proc. 4th European Conference on Software Architecture: Companion Volume (2010), ECSA '10, ACM, pp. 236--242.

Digital Library

[39]

Rodes, B. D., Knight, J. C., and Wasson, K. S. A security metric based on security arguments. In Proceedings of the 5th International Workshop on Emerging Trends in Software Metrics (New York, NY, USA, 2014), WETSoM 2014, ACM, pp. 66--72.

Digital Library

[40]

Sharma, V. S., and Trivedi, K. S. Architecture based analysis of performance, reliability and security of software systems. In Proc. 5th International Workshop on Software and Performance (2005), WOSP '05, ACM, pp. 217--227.

Digital Library

[41]

Shin, Y., Meneely, A., Williams, L., and Osborne, J. A. Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering 37, 6 (Nov 2011), 772--787.

Digital Library

[42]

Sohr, K., and Berger, B. Idea: Towards Architecture-Centric Security Analysis of Software. Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 70--78.

Digital Library

[43]

Sultan, K., En-Nouaary, A., and Hamou-Lhadj, A. Catalog of metrics for assessing security risks of software throughout the software development life cycle. In Int'l Conf. on Information Security and Assurance (isa 2008) (2008), pp. 461---465.

Digital Library

[44]

Wang, J. A., Wang, H., Guo, M., and Xia, M. Security metrics for software systems. In Proc. 47th Annual Southeast Regional Conference (2009), ACM, pp. 47:1--47:6.

Digital Library

[45]

Zalewski, J., Drager, S., Mckeever, W., and Kornecki, A. Can we measure security and how? In Proc. 7th Annual Workshop on Cyber Security and Information Intelligence Research (2011), CSIIRW'11, ACM, pp. 46:1--46:1.

Digital Library

[46]

Zalewski, J., Drager, S., McKeever, W., and Kornecki, A. J. Measuring security: A challenge for the generation. in Position Papers of the 2014 Federated Conference on Computer Science and Information Systems, Warsaw (2014).

Cited By

Kowdeed R(2024)Decision Making on a Software Upgrade or Decommission with Data Mining and Machine Learning Techniques in Information Technology IndustryInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAR2132(2920-2925)Online publication date: 16-Apr-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAR2132

Recommendations

A comparison of software design security metrics
ECSA '10: Proceedings of the Fourth European Conference on Software Architecture: Companion Volume

A lack of security metrics signifies that it is not possible to measure the success of security policies, mechanisms and implementations, and security cannot, in turn, be improved if it cannot be measured. The importance of the use of metrics to obtain ...
First International Workshop on Measurability of Security in Software Architectures -- MeSSa 2010
ECSA '10: Proceedings of the Fourth European Conference on Software Architecture: Companion Volume

The growing complexity of service-centric systems has increased the need for pertinent and reliable software security and trusted system solutions. Systematic approaches to measuring security in software architectures are needed in order to obtain ...
Integrating security activities into the software development life cycle and the software quality assurance process

Security concerns should be an integral part of the entire planning, development, and operation of a computer application. Inadequacies in the design and operation of computer applications are very frequent source of security vulnerabilities associated ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies

June 2017

358 pages

ISBN:9781450352345

DOI:10.1145/3134302

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

UORB: University of Ruse, Bulgaria
TECHUVB: Technical University of Varna, Bulgaria

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

CompSysTech'17

CompSysTech'17: 18th International Conference on Computer Systems and Technologies

June 23 - 24, 2017

Ruse, Bulgaria

Acceptance Rates

CompSysTech '17 Paper Acceptance Rate 42 of 107 submissions, 39%;

Overall Acceptance Rate 241 of 492 submissions, 49%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
139
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kowdeed R(2024)Decision Making on a Software Upgrade or Decommission with Data Mining and Machine Learning Techniques in Information Technology IndustryInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAR2132(2920-2925)Online publication date: 16-Apr-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAR2132

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents