Integrated Measurement and Analysis Framework for Software Security
• Technical Note
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2010-TN-025DOI (Digital Object Identifier)
10.1184/R1/6574565.v1Subjects
Abstract
In today’s business and operational environments, multiple organizations routinely work collaboratively to acquire, develop, deploy, and maintain technical capabilities via a set of interdependent, networked systems. Measurement in these distributed management environments can be an extremely challenging problem. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute (SEI), is developing the Integrated Measurement and Analysis Framework (IMAF) to enable effective measurement in distributed environments, including acquisition programs, supply chains, and systems of systems. The IMAF defines an approach that integrates subjective and objective data from multiple sources (targeted analysis, reports, and tactical measurement) and provides decision makers with a consolidated view of current conditions. This report is the first in a series that addresses how to measure software security in complex environments. It poses several research questions and hypotheses and presents a foundational set of measurement concepts. It also describes how meaningful measures provide the information that decision makers need when they need it and in the right form. Finally, this report provides a conceptual overview of the IMAF, describes methods for qualitatively and quantitatively collecting data to inform the framework, and suggests how to use the IMAF to derive meaningful measures for analyzing software security performance.
Related Links
Deriving Software Security Measures from Information Security Standards of Practice
Risk-Based Measurement and Analysis: Application to Software Security
Part of a Collection
Cybersecurity Engineering Research: Software Assurance Measurement and Analysis Collection
Cite This Technical Note
Alberts, C., Allen, J., & Stoddard, R. (2010, September 1). Integrated Measurement and Analysis Framework for Software Security. (Technical Note CMU/SEI-2010-TN-025). Retrieved April 19, 2024, from https://doi.org/10.1184/R1/6574565.v1.
@techreport{alberts_2010,
author={Alberts, Christopher and Allen, Julia and Stoddard, Robert},
title={Integrated Measurement and Analysis Framework for Software Security},
month={Sep},
year={2010},
number={CMU/SEI-2010-TN-025},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6574565.v1},
note={Accessed: 2024-Apr-19}
}
Alberts, Christopher, Julia Allen, and Robert Stoddard. "Integrated Measurement and Analysis Framework for Software Security." (CMU/SEI-2010-TN-025). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, September 1, 2010. https://doi.org/10.1184/R1/6574565.v1.
C. Alberts, J. Allen, and R. Stoddard, "Integrated Measurement and Analysis Framework for Software Security," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2010-TN-025, 1-Sep-2010 [Online]. Available: https://doi.org/10.1184/R1/6574565.v1. [Accessed: 19-Apr-2024].
Alberts, Christopher, Julia Allen, and Robert Stoddard. "Integrated Measurement and Analysis Framework for Software Security." (Technical Note CMU/SEI-2010-TN-025). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Sep. 2010. https://doi.org/10.1184/R1/6574565.v1. Accessed 19 Apr. 2024.
Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Integrated Measurement and Analysis Framework for Software Security. CMU/SEI-2010-TN-025. Software Engineering Institute. 2010. https://doi.org/10.1184/R1/6574565.v1