Security Metrics for Object-Oriented Designs

Several studies have developed metrics for software quality attributes of object-oriented designs such as reusability and functionality. However, metrics which measure the quality attribute of information security have received little attention. Moreover, existing security metrics measure either the system from a high level (i.e. the whole system’s level) or from a low level (i.e. the program code’s level). These approaches make it hard and expensive to discover and fix vulnerabilities caused by software design errors. In this work, we focus on the design of an object-oriented application and define a number of information security metrics derivable from a program’s design artifacts. These metrics allow software designers to discover and fix security vulnerabilities at an early stage, and help compare the potential security of various alternative designs. In particular, we present security metrics based on composition, coupling, extensibility, inheritance, and the design size of a given object-oriented, multi-class program from the point of view of potential information flow.

[1]  SeacordRobert Secure Coding in C and C , 2006, S&P 2006.

[2]  Ray Farmer,et al.  Object-Oriented Systems Analysis and Design Using UML , 2001 .

[3]  Issa Traoré,et al.  Empirical relation between coupling and attackability in software systems:: a case study on DOS , 2006, PLAS '06.

[4]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[5]  Carl G. Davis,et al.  A Hierarchical Model for Object-Oriented Design Quality Assessment , 2002, IEEE Trans. Software Eng..

[6]  Gregory Tassey,et al.  Prepared for what , 2007 .

[7]  Kymie M. C. Tan,et al.  An Approach to Measuring a System's Attack Surface , 2007 .

[8]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[9]  Mark Lorenz,et al.  Object-oriented software metrics - a practical guide , 1994 .

[10]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[11]  Lionel C. Briand,et al.  A Unified Framework for Coupling Measurement in Object-Oriented Systems , 1999, IEEE Trans. Software Eng..

[12]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[13]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[14]  Chris F. Kemerer,et al.  A Metrics Suite for Object Oriented Design , 2015, IEEE Trans. Software Eng..

[15]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[16]  Katsuhisa Maruyama Secure Refactoring - Improving the Security Level of Existing Code , 2007, ICSOFT.

[17]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[18]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[19]  J.A. Hamilton,et al.  Security in software architecture: a case study , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[20]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[21]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[22]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[23]  Edward A. Schneider Security architecture-based system design , 1999, NSPW '99.