论文信息 - Assessing security properties of software components: a software engineer's perspective

Assessing security properties of software components: a software engineer's perspective

The paper proposes an assessment scheme for the security properties of software components. The proposed scheme consists of three stages: (i) a system-specific security requirement specification of the enclosing application; (ii) a component-specific security rating; and (iii) an evaluation method for the scored security properties of the candidate component. The assessment scheme ultimately provides a numeric score indicating a relative strength of the security properties of the candidate component. The scheme is partially based on ISO/IEC 15408, the Common Criteria for Information Technology Security Evaluation (CC) and the Multi-Element Component Comparison and Analysis (MECCA) model. The scheme is flexible enough for software engineers to use in order to get a first-hand preliminary assessment of the security posture of candidate components

Khaled M. Khan | Jun Han

[1] Paul Strooper. Proceedings of the 2005 Australian Software Engineering Conference , 2004 .

[2] Michael Howard,et al. Measuring Relative Attack Surfaces , 2005 .

[3] Shirley C. Payne,et al. A Guide to Security Metrics , 2007 .

[4] Cemal Yilmaz,et al. Software Metrics , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[5] Marianne Swanson,et al. Security metrics guide for information technology systems , 2003 .

[6] Khaled M. Khan,et al. Assessment Model for Software Maintenance Tools: A Conceptual Framework , 1997, PACIS.

[7] Khaled M. Khan,et al. A security characterisation framework for trustworthy component based software systems , 2003, Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003.

[8] Paul Clements,et al. Software architecture in practice , 1999, SEI series in software engineering.

[9] Jan Trobitius,et al. Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.