Mapping the Field of Software Security Metrics

While security, or its absence, is a property of running software, many aspects of software requirements, design, implementation, and testing contribute to the presence or absence of security in the finished product. Assessing whether a given piece of software meets a set of security objectives is a multi-dimensional problem, and we do not yet have a clear picture of all of the dimensions. The goal of this research is to support researcher and practitioner use of security measurement by cataloging available metrics, their validation, and the subjects they measure through conducting a systematic mapping study. Our study began with 1,561 papers and narrowed down to 63 papers reporting on 346 metrics. For each metric, we identify the subject being measured, how the metric has been evaluated by researcher(s), and how the metric is being used. Approximately 85% of security-specific metrics have been proposed and evaluated solely by their authors. Approximately 40% of the metrics are not empirically evaluated, and many artifacts and processes remain unmeasured. Approximately 15% of the metrics focus on the early stages of development or on testing (1.5%). At present, despite the abundance of metrics found in the literature, those available give us an incomplete, disjointed, hazy view of software security.

[1]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[2]  Laurent Gallon On the Impact of Environmental Metrics on CVSS Scores , 2010, 2010 IEEE Second International Conference on Social Computing.

[3]  Einar Snekkenes,et al.  Measuring Resistance to Social Engineering , 2005, ISPEC.

[4]  Viet Hung Nguyen,et al.  Predicting vulnerable software components with dependency graphs , 2010, MetriSec '10.

[5]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[6]  Reijo Savola,et al.  Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[7]  Miles McQueen,et al.  Analyses of Two End-User Software Vulnerability Exposure Metrics , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[8]  N. Pham,et al.  A Near Real-Time System for Security Assurance Assessment , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[9]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[10]  James Walden,et al.  SAVI: Static-Analysis Vulnerability Indicator , 2012, IEEE Security & Privacy.

[11]  Muhammad Ali Babar,et al.  Identifying relevant studies in software engineering , 2011, Inf. Softw. Technol..

[12]  Mary Ann Davidson The Good, the Bad, And the Ugly: Stepping on the Security Scale , 2009, 2009 Annual Computer Security Applications Conference.

[13]  Nurlida Basir,et al.  Security metrics to improve misuse case model , 2012, Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec).

[14]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[15]  Haralambos Mouratidis,et al.  Appraisal and reporting of security assurance at operational systems level , 2012, J. Syst. Softw..

[16]  Ling Gao,et al.  An Improved CVSS-based Vulnerability Scoring Mechanism , 2011, 2011 Third International Conference on Multimedia Information Networking and Security.

[17]  Stéphane Frénot,et al.  Catching two rabbits: adaptive real-time support for embedded Linux , 2009 .

[18]  Nannan He,et al.  A New Security Sensitivity Measurement for Software Variables , 2008, 2008 IEEE Conference on Technologies for Homeland Security.

[19]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[20]  Raees Ahmad Khan,et al.  An Efficient Measurement of Object Oriented Design Vulnerability , 2009, 2009 International Conference on Availability, Reliability and Security.

[21]  Andrew Meneely,et al.  Investigating the relationship between developer collaboration and software security , 2011 .

[22]  Simha Sethumadhavan,et al.  Side-channel vulnerability factor: A metric for measuring information leakage , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[23]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[24]  Robert K. Cunningham,et al.  Why Measuring Security Is Hard , 2010, IEEE Security & Privacy.

[25]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[26]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[27]  Laurie A. Williams,et al.  Is complexity really the enemy of software security? , 2008, QoP '08.

[28]  Sen-Tarng Lai,et al.  An Analyzer-Based Software Security Measurement Model for Enhancing Software System Security , 2010, 2010 Second World Congress on Software Engineering.

[29]  Mladen A. Vouk,et al.  On Reliability Analysis of Open Source Software - FEDORA , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[30]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[31]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[32]  T. R. Gopalakrishnan Nair,et al.  Significance of depth of inspection and inspection performance metrics for consistent defect management in software industry , 2012, IET Softw..

[33]  John Grundy,et al.  Automated software architecture security risk analysis using formalized signatures , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[34]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[35]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[36]  Fabio Martinelli,et al.  Formal Analysis of Security Metrics with Defensive Actions , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[37]  Indrajit Ray,et al.  Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability , 2014, 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.

[38]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[39]  Michael Gegick,et al.  Toward Non-security Failures as a Predictor of Security Faults and Failures , 2009, ESSoS.

[40]  Reinhard Schwarz,et al.  A Critical Survey of Security Indicator Approaches , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[41]  Shari Lawrence Pfleeger,et al.  Software Metrics : A Rigorous and Practical Approach , 1998 .

[42]  Michael Yanguo Liu Quantitative security analysis for service-oriented software architectures , 2008 .

[43]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[44]  Pearl Brereton,et al.  Using Mapping Studies in Software Engineering , 2008, PPIG.

[45]  Karin Bernsmed,et al.  Forewarned is Forearmed: Indicators for Evaluating Information Security Incident Management , 2013, 2013 Seventh International Conference on IT Security Incident Management and IT Forensics.

[46]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[47]  Andrew Meneely,et al.  When a Patch Goes Bad: Exploring the Properties of Vulnerability-Contributing Commits , 2013, 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement.

[48]  Yashwant K. Malaiya,et al.  Assessing vulnerabilities in software systems: a quantitative approach , 2007 .

[49]  Min Xia,et al.  Temporal metrics for software vulnerabilities , 2008, CSIIRW '08.

[50]  Norman F. Schneidewind,et al.  Methodology For Validating Software Metrics , 1992, IEEE Trans. Software Eng..

[51]  Mel Ó Cinnéide,et al.  Improving Software Security Using Search-Based Refactoring , 2012, SSBSE.

[52]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[53]  Wouter Joosen,et al.  Measuring the interplay of security principles in software architectures , 2009, ESEM 2009.

[54]  Reza Azmi,et al.  Adaptive and quantitative comparison of J2EE vs. .NET based on attack surface metric , 2010, 2010 5th International Symposium on Telecommunications.

[55]  Michael Gegick,et al.  Predicting attack-prone components with source code static analyzers , 2009 .

[56]  A. Benjamin Premkumar,et al.  An empirical vulnerability remediation model , 2010, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security.

[57]  James Bret Michael,et al.  Hazard Analysis and Validation Metrics Framework for System of Systems Software Safety , 2010, IEEE Systems Journal.

[58]  Roger Y. Lee,et al.  An Approach to Analyzing the Windows and Linux Security Models , 2006, 5th IEEE/ACIS International Conference on Computer and Information Science and 1st IEEE/ACIS International Workshop on Component-Based Software Engineering,Software Architecture and Reuse (ICIS-COMSAR'06).

[59]  Miles McQueen,et al.  Measuring the attack surfaces of two FTP daemons , 2006, QoP '06.

[60]  Ali Mili,et al.  Evaluating security controls based on key performance indicators and stakeholder mission , 2008, CSIIRW '08.

[61]  James Walden,et al.  Security of open source web applications , 2009, ESEM 2009.

[62]  Marco Casassa Mont,et al.  Using security metrics coupled with predictive modeling and simulation to assess security processes , 2009, ESEM 2009.

[63]  Kemal Hajdarevic,et al.  A new method for the identification of proactive information security management system metrics , 2013, 2013 36th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[64]  Hao Wang,et al.  Security metrics for software systems , 2009, ACM-SE 47.

[65]  A. En-Nouaary,et al.  Catalog of Metrics for Assessing Security Risks of Software throughout the Software Development Life Cycle , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[66]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[67]  Gunnar Peterson,et al.  A Metrics Framework to Drive Application Security Improvement , 2007, IEEE Security & Privacy.

[68]  Michele Lanza,et al.  Evaluating defect prediction approaches: a benchmark and an extensive comparison , 2011, Empirical Software Engineering.

[69]  Mladen A. Vouk,et al.  Investigating complexity metrics as indicators of software vulnerability , 2011 .

[70]  Colin J. Fidge,et al.  A Hierarchical Security Assessment Model for Object-Oriented Programs , 2011, 2011 11th International Conference on Quality Software.

[71]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[72]  Jianping Li,et al.  Risk Management in the Trustworthy Software Process: A Novel Risk and Trustworthiness Measurement Model Framework , 2009, 2009 Fifth International Joint Conference on INC, IMS and IDC.

[73]  Gregg Schudel,et al.  Adversary work factor as a metric for information assurance , 2001, NSPW '00.

[74]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[75]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[76]  Kishor S. Trivedi,et al.  Architecture based analysis of performance, reliability and security of software systems , 2005, WOSP '05.