Risk-Based Measurement and Analysis: Application to Software Security

For several years, the software engineering community has been working to identify practices aimed at developing more secure software. Although some foundational work has been performed, efforts to measure software security assurance have yet to materialize in any substantive fashion. As a result, decision makers (e.g., development program and project managers, acquisition program offices) lack confidence in the security characteristics of their software-reliant systems. The CERT® Program at Carnegie Mellon University's Software Engineering Institute (SEI) has chartered the Software Security Measurement and Analysis (SSMA) Project to advance the state-of-the-practice in software security measurement and analysis. The SSMA Project is exploring how to use risk analysis to direct an organization's software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex software-reliant systems across the life cycle and supply chain. To accomplish this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and refined the SEI Mission Risk Diagnostic (MRD). This report is an update to the technical note, Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025), published in September 2010. This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.



Related Links





Deriving Software Security Measures from Information Security Standards of Practice





Integrated Measurement and Analysis Framework for Software Security

PDF [736 KB]

Authors

Christopher J. Alberts (CERT)

Julia H. Allen

Robert W. Stoddard

This report is related to the following area(s) of work:

Security and Survivability

Technical Note
2012-TN-004
February 2012

Cite This Report

SEI:

Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Risk-Based Measurement and Analysis: Application to Software Security (2012-TN-004). Software Engineering Institute, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfm

IEEE:

C. Alberts, J. Allen, and R. Stoddard, "Risk-Based Measurement and Analysis: Application to Software Security," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note 2012-TN-004, 2012. http://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfm

APA:

Alberts, C., Allen, J., & Stoddard, R. (2012). Risk-Based Measurement and Analysis: Application to Software Security (2012-TN-004). Retrieved June 19, 2013, from the Software Engineering Institute, Carnegie Mellon University website: http://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfm

CHI:

Alberts, Christopher, Julia Allen, and Robert Stoddard. Risk-Based Measurement and Analysis: Application to Software Security (2012-TN-004). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfm

MLA:

Alberts, C., Allen, J., & Stoddard, R. 2012. Risk-Based Measurement and Analysis: Application to Software Security (Technical Report 2012-TN-004). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfm

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Contact Us

info@sei.cmu.edu

412-268-5800

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.