Cybersecurity Engineering Research: Cybersecurity Quality Metrics Collection
• Collection
Publisher
Software Engineering Institute
Topic or Tag
Abstract
Security is difficult to measure and even harder to predict. Quality is one area where predictive capability has been successfully applied. Although high quality code is not necessarily secure, poor quality code cannot be secure; therefore, some minimum level of quality software may be considered necessary to achieve secure code. There is general agreement that good quality is an essential condition for software with security requirements; however, the level of necessary quality is an open question. A connection between quality flaws and security flaws has been observed. Research indicates that 1-5% of defects will end up as vulnerabilities.
Advanced software quality management models now exist that are capable of economically producing software that is an order of magnitude higher quality than current critical systems. These projects indicate early efforts to address safety and security with good operational results.
Our research is determining how software quality models can be specialized for security to increase confidence that software can be sufficiently secure and function as intended. We postulate that quality results below a "to be determined" quality threshold provide sufficient evidence that improves confidence for security and results above that threshold provide evidence that operational security would be uncertain.
Collection Items
Software Assurance Engineering—Integrating Assurance into System and Software Engineering
• Video
By Carol Woody
In this video, Carol Woody discusses software assurance, which is implementing software with confidence that it functions as intended and is free of vulnerabilities.
Watch
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
• Special Report
By The WEA Project Team
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance …
Read
Software Assurance Measurement – State of the Practice
• Technical Note
By Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.
Read
Principles and Measurement Models for Software Assurance
• Book Chapter
By Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody
In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.
Read
Risk-Based Measurement and Analysis: Application to Software Security
• Technical Note
By Christopher J. Alberts, Julia H. Allen, Robert W. Stoddard
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
Read
Mission Risk Diagnostic (MRD) Method Description
• Technical Note
By Christopher J. Alberts, Audrey J. Dorofee
In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.
Read
Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
• Technical Note
By Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino
In this 2008 document, the authors preview a core set of activities and outputs that define a MAAP assessment.
Read
Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements
• Technical Note
By Carol Woody
In this 2005 report, Carol Woody documents how environments for system development can support or reject improved quality requirements elicitation mechanisms.
ReadPart of a Collection
Cybersecurity Engineering Research Collection