Complexity Measures for Secure Service-Oriented Software Architectures

As software attacks become widespread, the ability for a software system to resist malicious attacks has become a key concern in software quality engineering. Software attack ability is a concept proposed recently in the research literature to measure the extent to which a software system or service could be the target of successful attacks. Like most external attributes, attack ability is to some extent disconnected from the internal of software products. To mitigate software attack ability, we need to identify and manipulate related internal software attributes. Our goal in this paper is to study software complexity as one such internal attribute. We apply the User System Interaction Effect (USIE) model, a security measurement abstraction paradigm proposed in previous research, to define and validate a sample metric for service complexity. We thereby establish the usefulness of our sample metric through empirical investigation using open source software system as target application.

[1]  Keith W. Miller,et al.  Defining an adaptive software security metric from a dynamic software failure tolerance measure , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[2]  KitchenhamBarbara Ann,et al.  Evaluating software engineering methods and tools , 1998 .

[3]  Ibm Redbooks,et al.  Patterns: Service Oriented Architecture And Web Services , 2004 .

[4]  Issa Traoré,et al.  Measurement Framework for Software Privilege Protection Based on User Interaction Analysis , 2005, IEEE METRICS.

[5]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[6]  Sandro Morasca,et al.  Property-Based Software Engineering Measurement , 1996, IEEE Trans. Software Eng..

[7]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[8]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[9]  Barbara Ann Kitchenham Evaluating software engineering methods and tool—part 2: selecting an appropriate evaluation method—technical criteria , 1996, SOEN.

[10]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[11]  Jim Gray,et al.  A census of Tandem system availability between 1985 and 1990 , 1990 .

[12]  Issa Traoré,et al.  Empirical relation between coupling and attackability in software systems:: a case study on DOS , 2006, PLAS '06.

[13]  Barbara Ann Kitchenham,et al.  Evaluating software engineering methods and tools: part 9: quantitative case study methodology , 1998, SOEN.

[14]  Albert L. Baker,et al.  A mathematical perspective for software measures research , 1990, Softw. Eng. J..

[15]  J. Baker THE JAMES , 2004 .

[16]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[17]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[18]  Ali Arsanjani,et al.  Service-Oriented Modeling and Architecture for Realization of an SOA , 2006, 2006 IEEE International Conference on Services Computing (SCC'06).

[19]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[20]  Ravishankar K. Iyer,et al.  Faults, symptoms, and software fault tolerance in the Tandem GUARDIAN90 operating system , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[21]  Elaine J. Weyuker,et al.  Evaluating Software Complexity Measures , 2010, IEEE Trans. Software Eng..