|
|
 |
| |
|
|
|
Properties for Security Measures of Software Products |
|
|
|
PP: 129-156 |
|
|
|
Author(s) |
|
|
|
Yanguo Michael Liu,
Issa Traore,
|
|
|
|
Abstract |
|
|
| A large number of attacks on computing systems succeed because of the existence of
software flaws (e.g. buffer overflow, race conditions etc.) that could be fixed through a
careful design process. An effective way of improving the quality of software products
consists of using metrics to guide the development process. The field of software security
metrics however is still in infancy in contrast with the area of traditional software
metrics such as reliability metrics for which several key results have been obtained so
far. We identify in this paper a number of internal software attributes that could be
related to a variety of security qualities. Since theoretical validation is an important
step in the development of any metrics program, we focus in this paper on studying
the measurement properties associated with these internal attributes. The properties,
based on popular security design principles in use in security engineering processes,
can be used to guide the search of software security metrics. We study the feasibility
of our theoretical framework by presenting case studies based on metrics derived from
existing security measurement frameworks, namely the attack surface metrics system
and the privilege graph paradigm. |
|
|
|
|
|
|
|
